mshta.exe and cmd.exe running a lot of processes

Discussion in 'Malware Help (A Specialist Will Reply)' started by chachie, Feb 24, 2009.

  1. chachie

    chachie Private E-2

    Hello,
    I have done everything in READ AND RUN ME FIRST as well as the Windows XP cleaning procedure. I noticed a week ago in my Process Explorer that mshta.exe will keep adding processes. I kill them when there get to be about 20, but this interferes with internet connection. Since I have performed the READ AND RUN ME FIRST and cleaning procedure, I noticed that cmd.exe will keep adding processes; last time I checked it was about 20 as well.
    Nothing else seems to be out of the ordinary, but I was wondering if this is normal or a sign of something wrong.
    Thank you for any assistance.
    Chachie
     

    Attached Files:

    chachie, Feb 24, 2009
    #1
  2. chachie

    chachie Private E-2

    Last attachment...
     

    Attached Files:

    chachie, Feb 24, 2009
    #2
  3. chachie

    chachie Private E-2

    Almost forgot, before I removed AVG and replaced it with Avira, I was getting messages from AVG saying "Exploit JavaScript Obfuscation", but I wasn't able to quarantine or remove anything. That was what got me poking around the system and noticed the mshta.exe (and now cmd.exe!).
     
    chachie, Feb 25, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 3"
    J2SE Runtime Environment 5.0 Update 4

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Feb 26, 2009
    #4
  5. chachie

    chachie Private E-2

    Thanks for taking a look at this...
     

    Attached Files:

    chachie, Feb 26, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know what happened but you are now seriously infected.

    Here is what I want you to do....re-run both SAS and MBAM and then do this:
    Using BitDefender Online Scan

    When finished, attach the SAS, MBAM , Bit scan and a new MGLogs.zip
     
    TimW, Feb 28, 2009
    #6
  7. chachie

    chachie Private E-2

    Here are the logs.
    No problems were found with MBAM or SAS.
    Bitdefender found no problems , but I wasn't able to attach the file as a .txt, as .html was my only option.
    I do not have the replicating processes running anymore (cmd.exe and mhsta.exe).
    Just out of curiosity and for future knowledge, since none of the programs are finding anything, what indicates such a "serious" infection. If you weren't helping I probably wouldn't realize anything was wrong.

    Thanks again for your assistance.
     

    Attached Files:

    chachie, Feb 28, 2009
    #7
  8. chachie

    chachie Private E-2

    and the mglogs zip...
     

    Attached Files:

    chachie, Mar 1, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    What I mean is this ( every one of these needs to be deleted):
    Code:
    [B]
C:\"
a7y.bat       Feb 23 2009        8150  "a7y.bat"
a8ij00l7.txt  Feb 25 2009          51  "A8IJ00l7.txt"
a8ij00~1.txt  Feb 25 2009          51  "A8IJ00l72.txt"
aco.bat       Feb 22 2009         159  "ACo.bat"
aco2.bat      Feb 22 2009         115  "ACo2.bat"
acwfyw.bat    Feb 25 2009         159  "AcwFyw.bat"
acwfyw2.bat   Feb 25 2009         115  "AcwFyw2.bat"
aehyznvn.exe  Feb 22 2009           0  "aehYzNVN.exe"
aehyzn~1.exe  Feb 22 2009           0  "aehYzNVN2.exe"
aev.bat       Feb 22 2009         145  "AEV.bat"
aev2.bat      Feb 22 2009         109  "AEV2.bat"
afdf9es.txt   Feb 25 2009          49  "aFDf9ES.txt"
afdf9es2.txt  Feb 25 2009          49  "aFDf9ES2.txt"
agaw.txt      Feb 24 2009          52  "aGAW.txt"
agaw2.txt     Feb 24 2009          52  "aGAW2.txt"
aom.bat       Feb 25 2009         144  "AOm.bat"
aom2.bat      Feb 25 2009         110  "AOm2.bat"
auoagyd.exe   Feb 25 2009        1448  "AUOAGyd.exe"
auoagyd2.exe  Feb 25 2009        1448  "AUOAGyd2.exe"
bjd.exe       Feb 22 2009           0  "bjd.exe"
bjd2.exe      Feb 22 2009           0  "bjd2.exe"
bl4eo.bat     Feb 22 2009        8149  "bl4EO.bat"
bsk.bat       Feb 24 2009         144  "BSK.bat"
bsk2.bat      Feb 24 2009         110  "BSK2.bat"
bufk0f.bat    Feb 22 2009         156  "BuFK0f.bat"
bufk0f2.bat   Feb 22 2009         114  "BuFK0f2.bat"
bvwx.exe      Feb 25 2009        1448  "bvwx.exe"
bvwx2.exe     Feb 25 2009           0  "bvwx2.exe"
bxnk5fe.bat   Feb 24 2009         159  "Bxnk5Fe.bat"
bxnk5fe2.bat  Feb 24 2009         115  "Bxnk5Fe2.bat"
byvegcdj.bat  Feb 25 2009        8150  "byveGcDj.bat"
byyu.bat      Feb 22 2009         153  "byYU.bat"
byyu2.bat     Feb 22 2009         113  "byYU2.bat"
c6nmd.bat     Feb 24 2009         152  "c6nMd.bat"
c6nmd2.bat    Feb 24 2009         110  "c6nMd2.bat"
c80.exe       Feb 25 2009        1448  "C80.exe"
c802.exe      Feb 25 2009        1448  "C802.exe"
cbv01yvp.bat  Feb 22 2009        8149  "cBv01yVp.bat"
cpcmn9u.bat   Feb 24 2009        8150  "CPcmn9u.bat"
cppfeiz.txt   Feb 24 2009          48  "cppfeIz.txt"
cppfeiz2.txt  Feb 24 2009          48  "cppfeIz2.txt"
csba.txt      Feb 22 2009          54  "CsBA.txt"
csba2.txt     Feb 22 2009          54  "CsBA2.txt"
cug.bat       Feb 24 2009         146  "cuG.bat"
cug2.bat      Feb 24 2009         108  "cuG2.bat"
cvit.exe      Feb 25 2009           0  "CVIt.exe"
cvit2.exe     Feb 25 2009           0  "CVIt2.exe"
cvt.bat       Feb 23 2009         145  "CVT.bat"
cvt2.bat      Feb 23 2009         109  "CVT2.bat"
cxw.txt       Feb 25 2009          48  "cxW.txt"
cxw2.txt      Feb 25 2009          48  "cxW2.txt"
d015.bat      Feb 22 2009         154  "d015.bat"
d0152.bat     Feb 22 2009         112  "d0152.bat"
d7trz.bat     Feb 24 2009         144  "D7tRZ.bat"
d7trz2.bat    Feb 24 2009         110  "D7tRZ2.bat"
d9r.bat       Feb 25 2009        8150  "d9R.bat"
dbjqp.txt     Feb 22 2009          51  "DBJqp.txt"
dbjqp2.txt    Feb 22 2009          51  "DBJqp2.txt"
deeextv.bat   Feb 25 2009         144  "DEEEXtV.bat"
deeextv2.bat  Feb 25 2009         108  "DEEEXtV2.bat"
dsuxl.exe     Feb 22 2009           0  "DSUXL.exe"
dsuxl2.exe    Feb 22 2009           0  "DSUXL2.exe"
dy0b.txt      Feb 22 2009          52  "dY0b.txt"
dy0b2.txt     Feb 22 2009          52  "dY0b2.txt"
eesno.bat     Feb 22 2009        8149  "eesNo.bat"
ehsvvq.txt    Feb 22 2009          51  "eHsvvQ.txt"
ehsvvq2.txt   Feb 22 2009          51  "eHsvvQ2.txt"
ekz.txt       Feb 22 2009          52  "eKz.txt"
ekz2.txt      Feb 22 2009          52  "eKz2.txt"
eq9npj.bat    Feb 24 2009        8150  "eQ9NPj.bat"
ewyw.exe      Feb 25 2009        1448  "EwYW.exe"
ewyw2.exe     Feb 25 2009        1448  "EwYW2.exe"
ffjklfm.exe   Feb 25 2009        1448  "fFjklFM.exe"
ffjklfm2.exe  Feb 25 2009        1448  "fFjklFM2.exe"
fiy.exe       Feb 25 2009           0  "fIy.exe"
fiy2.exe      Feb 25 2009        1448  "fIy2.exe"
fmtv.bat      Feb 22 2009         150  "FMtV.bat"
fmtv2.bat     Feb 22 2009         112  "FMtV2.bat"
fprgy3.bat    Feb 22 2009        8149  "fPRGy3.bat"
fr5e.txt      Feb 24 2009          52  "fr5e.txt"
fr5e2.txt     Feb 24 2009          52  "fr5e2.txt"
fs0upad.bat   Feb 22 2009         151  "fS0uPAd.bat"
fs0upad2.bat  Feb 22 2009         109  "fS0uPAd2.bat"
ft82j2td.bat  Feb 22 2009         149  "fT82j2Td.bat"
ft82j2~1.bat  Feb 22 2009         111  "fT82j2Td2.bat"
fto.exe       Feb 25 2009        1448  "FTO.exe"
fto2.exe      Feb 25 2009        1448  "FTO2.exe"
fuka3.bat     Feb 22 2009         159  "fUKA3.bat"
fuka32.bat    Feb 22 2009         115  "fUKA32.bat"
fulxlwo.txt   Feb 22 2009          54  "fuLXLwO.txt"
fulxlwo2.txt  Feb 22 2009          54  "fuLXLwO2.txt"
g7txuknh.bat  Feb 24 2009        8150  "g7tXUKNh.bat"
g9otnvjl.txt  Feb 24 2009          48  "G9otNvJL.txt"
g9otnv~1.txt  Feb 24 2009          48  "G9otNvJL2.txt"
gaxw.bat      Feb 25 2009        8150  "gaXw.bat"
gbf.bat       Feb 22 2009         141  "gBF.bat"
gbf2.bat      Feb 22 2009         107  "gBF2.bat"
gdx7.bat      Feb 22 2009         148  "Gdx7.bat"
gdx72.bat     Feb 22 2009         110  "Gdx72.bat"
ge6cqr.txt    Feb 24 2009          51  "gE6CQR.txt"
ge6cqr2.txt   Feb 24 2009          51  "gE6CQR2.txt"
ge7atow.exe   Feb 24 2009        1448  "gE7AToW.exe"
ge7atow2.exe  Feb 24 2009        1448  "gE7AToW2.exe"
gg979.bat     Feb 22 2009         147  "GG979.bat"
gg9792.bat    Feb 22 2009         109  "GG9792.bat"
ggj58gqa.bat  Feb 22 2009        8149  "ggj58gQa.bat"
gh4dx.bat     Feb 25 2009         150  "gh4dx.bat"
gh4dx2.bat    Feb 25 2009         110  "gh4dx2.bat"
gi0kif.exe    Feb 22 2009           0  "GI0kiF.exe"
gi0kif2.exe   Feb 22 2009           0  "GI0kiF2.exe"
gi9fak.bat    Feb 25 2009         146  "Gi9Fak.bat"
gi9fak2.bat   Feb 25 2009         110  "Gi9Fak2.bat"
gki496hf.bat  Feb 22 2009        8149  "GKi496Hf.bat"
gkyz.bat      Feb 24 2009        8150  "GKyZ.bat"
gmirq.exe     Feb 22 2009           0  "gMirQ.exe"
gmirq2.exe    Feb 22 2009           0  "gMirQ2.exe"
gphwm0he.txt  Feb 22 2009          54  "gPhwM0He.txt"
gphwm0~1.txt  Feb 22 2009          54  "gPhwM0He2.txt"
gtxcap.bat    Feb 25 2009         158  "GTXcAP.bat"
gtxcap2.bat   Feb 25 2009         114  "GTXcAP2.bat"
gwq5.exe      Feb 25 2009           0  "GWq5.exe"
gwq52.exe     Feb 25 2009           0  "GWq52.exe"
gz9c.txt      Feb 22 2009          53  "gZ9c.txt"
gz9c2.txt     Feb 22 2009          53  "gZ9c2.txt"
gzkakghq.bat  Feb 22 2009         156  "gzKakgHQ.bat"
gzkakg~1.bat  Feb 22 2009         114  "gzKakgHQ2.bat"
h3sow.bat     Feb 24 2009        8150  "h3SOW.bat"
h91vteo.bat   Feb 22 2009         149  "H91VtEO.bat"
h91vteo2.bat  Feb 22 2009         109  "H91VtEO2.bat"
h9c.exe       Feb 24 2009        1448  "H9C.exe"
h9c2.exe      Feb 24 2009           0  "H9C2.exe"
hci.exe       Feb 24 2009        1448  "Hci.exe"
hci2.exe      Feb 24 2009        1448  "Hci2.exe"
hd8t9.bat     Feb 24 2009         154  "Hd8T9.bat"
hd8t92.bat    Feb 24 2009         112  "Hd8T92.bat"
hdomz.exe     Feb 25 2009        1448  "hdoMZ.exe"
hdomz2.exe    Feb 25 2009        1448  "hdoMZ2.exe"
hedphc6.bat   Feb 22 2009        8149  "HEDpHC6.bat"
hhmh.bat      Feb 25 2009        8150  "HHmh.bat"
hk4km3l.bat   Feb 25 2009         155  "hK4km3l.bat"
hk4km3l2.bat  Feb 25 2009         111  "hK4km3l2.bat"
hoyiyfg1.bat  Feb 24 2009        8150  "HOYiYfg1.bat"
hrj7.exe      Feb 23 2009        1448  "Hrj7.exe"
hrj72.exe     Feb 23 2009        1448  "Hrj72.exe"
hzxdg.bat     Feb 22 2009         155  "HZXdG.bat"
hzxdg2.bat    Feb 22 2009         111  "HZXdG2.bat"
i4c.txt       Feb 22 2009          52  "i4c.txt"
i4c2.txt      Feb 22 2009          52  "i4c2.txt"
i4do.bat      Feb 22 2009         150  "i4Do.bat"
i4do2.bat     Feb 22 2009         112  "i4Do2.bat"
i9lnlz6.bat   Feb 22 2009        8149  "i9LnlZ6.bat"
iav.bat       Feb 25 2009        8150  "iAv.bat"
iczpmk.bat    Feb 22 2009        8149  "iCZPMk.bat"
ifeu.exe      Feb 22 2009           0  "IfeU.exe"
ifeu2.exe     Feb 22 2009           0  "IfeU2.exe"
ifw.bat       Feb 24 2009        8150  "iFw.bat"
igluxz.bat    Feb 22 2009        8149  "IgLuXz.bat"
ih67gf3l.bat  Feb 22 2009        8149  "ih67Gf3l.bat"
ihgi1w3i.bat  Feb 25 2009        8150  "IhGI1w3I.bat"
ihgmon.bat    Feb 22 2009         152  "ihGmoN.bat"
ihgmon2.bat   Feb 22 2009         112  "ihGmoN2.bat"
imcuv1v.exe   Feb 24 2009        8688  "imcUV1v.exe"
imcuv1v2.exe  Feb 24 2009        1448  "imcUV1v2.exe"
imxkrivg.txt  Feb 22 2009          53  "ImXkrIVg.txt"
imxkri~1.txt  Feb 22 2009          53  "ImXkrIVg2.txt"
isjpwh~1.exe  Feb 24 2009        1448  "IsJPwHlo2.exe"
isjyso1.exe   Feb 22 2009           0  "IsJySo1.exe"
iuh47.bat     Feb 25 2009        8150  "iuH47.bat"
ivt7.bat      Feb 22 2009         142  "IVT7.bat"
ivt72.bat     Feb 22 2009         108  "IVT72.bat"
j1djd.bat     Feb 24 2009         151  "J1djD.bat"
j1djd2.bat    Feb 24 2009         111  "J1djD2.bat"
j1fhudj.txt   Feb 25 2009          49  "J1FHUdJ.txt"
j1fhudj2.txt  Feb 25 2009          49  "J1FHUdJ2.txt"
jby6lfhp.exe  Feb 22 2009           0  "Jby6LFhP.exe"
jby6lf~1.exe  Feb 22 2009           0  "Jby6LFhP2.exe"
jdbiz5g.bat   Feb 22 2009        8149  "JdBIZ5G.bat"
jdrv.bat      Feb 25 2009        8150  "Jdrv.bat"
jevrej1.bat   Feb 22 2009         158  "JeVreJ1.bat"
jevrej12.bat  Feb 22 2009         114  "JeVreJ12.bat"
jib.bat       Feb 25 2009        8150  "Jib.bat"
jlkbos.bat    Feb 24 2009         145  "jlkBOS.bat"
jlkbos2.bat   Feb 24 2009         109  "jlkBOS2.bat"
jn2jezmr.exe  Feb 25 2009        1448  "jn2JEzMR.exe"
jn2jez~1.exe  Feb 25 2009        1448  "jn2JEzMR2.exe"
jncqu.bat     Feb 25 2009        8150  "jNcqu.bat"
jqhuer5y.bat  Feb 25 2009         147  "JQhuER5Y.bat"
jqhuer~1.bat  Feb 25 2009         111  "JQhuER5Y2.bat"
jryhte.bat    Feb 24 2009        8150  "jRyHte.bat"
k0k2mj.txt    Feb 22 2009          52  "k0k2mj.txt"
k0k2mj2.txt   Feb 22 2009          52  "k0k2mj2.txt"
kd2vwqry.exe  Feb 22 2009           0  "kD2VWQry.exe"
kd2vwq~1.exe  Feb 22 2009           0  "kD2VWQry2.exe"
ke0fvkvn.txt  Feb 22 2009          53  "kE0fvKvN.txt"
ke0fvk~1.txt  Feb 22 2009          53  "kE0fvKvN2.txt"
kg82k.txt     Feb 25 2009          48  "kG82K.txt"
kg82k2.txt    Feb 25 2009          48  "kG82K2.txt"
kgqz.txt      Feb 25 2009          52  "kgqZ.txt"
kgqz2.txt     Feb 25 2009          52  "kgqZ2.txt"
km1.txt       Feb 22 2009          54  "KM1.txt"
km12.txt      Feb 22 2009          54  "KM12.txt"
kt95dq.exe    Feb 22 2009           0  "kt95dQ.exe"
kt95dq2.exe   Feb 22 2009           0  "kt95dQ2.exe"
ku6rwt.txt    Feb 25 2009          49  "kU6RWT.txt"
ku6rwt2.txt   Feb 25 2009          49  "kU6RWT2.txt"
kvmk4qv.txt   Feb 25 2009          52  "Kvmk4Qv.txt"
kvmk4qv2.txt  Feb 25 2009          52  "Kvmk4Qv2.txt"
kx43xjp.bat   Feb 24 2009         143  "kX43xjP.bat"
kx43xjp2.bat  Feb 24 2009         109  "kX43xjP2.bat"
lbv9m.bat     Feb 22 2009        8149  "lbV9M.bat"
li0yvu6.exe   Feb 22 2009           0  "lI0yVU6.exe"
lj1wcik.bat   Feb 25 2009         155  "lJ1wCIK.bat"
lj1wcik2.bat  Feb 25 2009         113  "lJ1wCIK2.bat"
lk5.bat       Feb 22 2009        8149  "Lk5.bat"
llelqgz6.txt  Feb 25 2009          49  "lLeLQgz6.txt"
llelqg~1.txt  Feb 25 2009          49  "lLeLQgz62.txt"
llfh.txt      Feb 22 2009          51  "LLfH.txt"
llfh2.txt     Feb 22 2009          51  "LLfH2.txt"
lmnqn.bat     Feb 25 2009        8150  "lmnQn.bat"
ln9wxxe.bat   Feb 23 2009        8150  "Ln9WxXe.bat"
lxyr.bat      Feb 25 2009         146  "lxyr.bat"
lxyr2.bat     Feb 25 2009         108  "lxyr2.bat"
lxzjp.exe     Feb 22 2009           0  "LXZJp.exe"
lxzjp2.exe    Feb 22 2009           0  "LXZJp2.exe"
lyhjw.bat     Feb 24 2009        8150  "LYhjw.bat"
m4dm81qe.bat  Feb 22 2009        8149  "M4Dm81qE.bat"
mbpf.txt      Feb 25 2009          50  "MBpF.txt"
mbpf2.txt     Feb 25 2009          50  "MBpF2.txt"
mey.bat       Feb 25 2009         146  "MEY.bat"
mey2.bat      Feb 25 2009         110  "MEY2.bat"
mfjo31o1.txt  Feb 25 2009          53  "Mfjo31O1.txt"
mfjo31~1.txt  Feb 25 2009          53  "Mfjo31O12.txt"
mfl90k.exe    Feb 24 2009           0  "mFl90k.exe"
mfl90k2.exe   Feb 24 2009        8688  "mFl90k2.exe"
mkwo2.exe     Feb 24 2009           0  "mKwo2.exe"
mujmesp.exe   Feb 22 2009           0  "MUJmEsP.exe"
mujmesp2.exe  Feb 22 2009           0  "MUJmEsP2.exe"
mxvjry.bat    Feb 25 2009         152  "mXVjRy.bat"
mxvjry2.bat   Feb 25 2009         110  "mXVjRy2.bat"
n0seu.txt     Feb 25 2009          49  "N0sEU.txt"
n0seu2.txt    Feb 25 2009          49  "N0sEU2.txt"
n24ihriy.bat  Feb 22 2009        8149  "n24ihRiY.bat"
nbigbi8e.bat  Feb 25 2009         154  "NbIgbI8e.bat"
nbigbi~1.bat  Feb 25 2009         110  "NbIgbI8e2.bat"
nbzub.bat     Feb 22 2009        8149  "nBzuB.bat"
ndenvin5.bat  Feb 22 2009         154  "NDeNVIn5.bat"
ndenvi~1.bat  Feb 22 2009         110  "NDeNVIn52.bat"
neozg.txt     Feb 25 2009          50  "NEoZG.txt"
neozg2.txt    Feb 25 2009          50  "NEoZG2.txt"
ngjfo.bat     Feb 22 2009        8149  "nGjfo.bat"
nhcbz2xj.bat  Feb 25 2009         155  "NhCBz2xJ.bat"
nhcbz2~1.bat  Feb 25 2009         113  "NhCBz2xJ2.bat"
nin.bat       Feb 24 2009         150  "NIN.bat"
nin2.bat      Feb 24 2009         112  "NIN2.bat"
nm5jyjab.txt  Feb 24 2009          53  "nm5JyJab.txt"
nm5jyj~1.txt  Feb 24 2009          53  "nm5JyJab2.txt"
nrkvlb6.bat   Feb 25 2009         147  "NrkVlb6.bat"
nrkvlb62.bat  Feb 25 2009         109  "NrkVlb62.bat"
ns1eb.bat     Feb 25 2009        8150  "Ns1EB.bat
nww.exe       Feb 25 2009           0  "NwW.exe"
nww2.exe      Feb 25 2009        1448  "NwW2.exe"
ny2.exe       Feb 22 2009           0  "NY2.exe"
ny22.exe      Feb 22 2009           0  "NY22.exe"
oagttug.exe   Feb 25 2009        1448  "oAGTtUG.exe"
oagttug2.exe  Feb 25 2009        1448  "oAGTtUG2.exe"
oak0hnfs.exe  Feb 25 2009           0  "OaK0hnfs.exe"
oak0hn~1.exe  Feb 25 2009           0  "OaK0hnfs2.exe"
obf4.bat      Feb 22 2009         147  "OBf4.bat"
obf42.bat     Feb 22 2009         109  "OBf42.bat"
ocrr9iy.exe   Feb 22 2009           0  "oCrR9IY.exe"
ocrr9iy2.exe  Feb 22 2009           0  "oCrR9IY2.exe"
oeqwhy.exe    Feb 25 2009        1448  "oEQWhY.exe"
oeqwhy2.exe   Feb 25 2009        1448  "oEQWhY2.exe"
oil9s2qe.txt  Feb 25 2009          48  "OIL9S2Qe.txt"
oil9s2~1.txt  Feb 25 2009          48  "OIL9S2Qe2.txt"
oljegu.exe    Feb 22 2009           0  "OLJegu.exe"
oljegu2.exe   Feb 22 2009           0  "OLJegu2.exe"
olrnai.exe    Feb 22 2009           0  "olRNAi.exe"
olrnai2.exe   Feb 22 2009           0  "olRNAi2.exe"
owmx7pwp.bat  Feb 25 2009        8150  "Owmx7pwp.bat"
owpjizrt.bat  Feb 25 2009        8150  "owPjizRT.bat"
oxkg.exe      Feb 25 2009        4344  "OXKG.exe"
oxkg2.exe     Feb 25 2009           0  "OXKG2.exe"
p2ypsc.exe    Feb 22 2009           0  "P2yPsC.exe"
p2ypsc2.exe   Feb 22 2009           0  "P2yPsC2.exe"
p4b8w.exe     Feb 24 2009        1448  "P4b8w.exe"
p4b8w2.exe    Feb 24 2009        1448  "P4b8w2.exe"
p9h.bat       Feb 25 2009        8150  "p9H.bat"
paij7v9s.exe  Feb 22 2009           0  "PaIj7v9S.exe"
paij7v~1.exe  Feb 22 2009           0  "PaIj7v9S2.exe"
pcxvyw.bat    Feb 22 2009         157  "pCxvYw.bat"
pcxvyw2.bat   Feb 22 2009         113  "pCxvYw2.bat"
pfoi5i.exe    Feb 25 2009        1448  "pfOi5I.exe"
pfoi5i2.exe   Feb 25 2009        1448  "pfOi5I2.exe"
plstaoi.bat   Feb 25 2009         145  "PLsTaOi.bat"
plstaoi2.bat  Feb 25 2009         109  "PLsTaOi2.bat"
pmrbkab.txt   Feb 22 2009          51  "pMrbkab.txt"
pmrbkab2.txt  Feb 22 2009          51  "pMrbkab2.txt"
pms1g.txt     Feb 22 2009          49  "Pms1G.txt"
pms1g2.txt    Feb 22 2009          49  "Pms1G2.txt"
pnemmv.txt    Feb 22 2009          54  "pnEMmV.txt"
pnemmv2.txt   Feb 22 2009          54  "pnEMmV2.txt"
po8svdzv.txt  Feb 23 2009          48  "po8SVDzV.txt"
po8svd~1.txt  Feb 23 2009          48  "po8SVDzV2.txt"
psp.bat       Feb 25 2009        8150  "pSp.bat"
pwn7h.exe     Feb 25 2009        1448  "pWN7h.exe"
pwn7h2.exe    Feb 25 2009        1448  "pWN7h2.exe"
qd8rqj.txt    Feb 25 2009          49  "qd8rqj.txt"
qd8rqj2.txt   Feb 25 2009          49  "qd8rqj2.txt"
qffrot.txt    Feb 22 2009          49  "qFFrOT.txt"
qffrot2.txt   Feb 22 2009          49  "qFFrOT2.txt"
qhtdp8um.bat  Feb 25 2009         146  "qhtDp8Um.bat"
qhtdp8~1.bat  Feb 25 2009         110  "qhtDp8Um2.bat"
qrsy.txt      Feb 25 2009          53  "qRSY.txt"
qrsy2.txt     Feb 25 2009          53  "qRSY2.txt"
qsq.bat       Feb 22 2009        8149  "qSq.bat"
qygp6exo.txt  Feb 24 2009          49  "qygP6ExO.txt"
qygp6e~1.txt  Feb 24 2009          49  "qygP6ExO2.txt"
qzbcpg3y.txt  Feb 25 2009          48  "QzBcpg3y.txt"
qzbcpg~1.txt  Feb 25 2009          48  "QzBcpg3y2.txt"
r2c.bat       Feb 25 2009        8150  "r2C.bat"
rc7pve.txt    Feb 24 2009          49  "Rc7pVE.txt"
rc7pve2.txt   Feb 24 2009          49  "Rc7pVE2.txt"
rfcnal.bat    Feb 22 2009        8149  "RFCNal.bat"
rjldkphz.bat  Feb 24 2009        8150  "RjlDkPhZ.bat"
rjnzzo4.exe   Feb 22 2009           0  "RJnzzo4.exe"
rjnzzo42.exe  Feb 22 2009           0  "RJnzzo42.exe"
rjpqwhfl.exe  Feb 22 2009           0  "rjpQwHfL.exe"
rjpqwh~1.exe  Feb 22 2009           0  "rjpQwHfL2.exe"
rn9oxxcp.txt  Feb 22 2009          51  "rn9OXXcp.txt"
rn9oxx~1.txt  Feb 22 2009          51  "rn9OXXcp2.txt"
ruex.exe      Feb 24 2009        1448  "rUEX.exe"
ruex2.exe     Feb 24 2009        1448  "rUEX2.exe"
rvcx.bat      Feb 25 2009         144  "RvcX.bat"
rvcx2.bat     Feb 25 2009         110  "RvcX2.bat"
rxeweqs.bat   Feb 22 2009        8149  "rxeWeqS.bat"
s0nel.exe     Feb 22 2009           0  "S0NEl.exe"
s0nel2.exe    Feb 22 2009           0  "S0NEl2.exe"
s8u7r.exe     Feb 22 2009           0  "s8u7R.exe"
s8u7r2.exe    Feb 22 2009           0  "s8u7R2.exe"
saw.exe       Feb 25 2009        1448  "saW.exe"
saw2.exe      Feb 25 2009        1448  "saW2.exe"
senkrltn.txt  Feb 24 2009          50  "SENkRLtn.txt"
senkrl~1.txt  Feb 24 2009          50  "SENkRLtn2.txt"
sfsxx.exe     Feb 22 2009           0  "sfsXX.exe"
sfsxx2.exe    Feb 22 2009           0  "sfsXX2.exe"
shryk0.txt    Feb 23 2009          49  "ShrYk0.txt"
shryk02.txt   Feb 23 2009          49  "ShrYk02.txt"
shz0g8.exe    Feb 22 2009           0  "SHZ0G8.exe"
shz0g82.exe   Feb 22 2009           0  "SHZ0G82.exe"
sil.bat       Feb 22 2009         148  "SIl.bat"
sil2.bat      Feb 22 2009         108  "SIl2.bat"
ska4f.bat     Feb 24 2009        8150  "SKa4F.bat"
snny.bat      Feb 25 2009         141  "snnY.bat"
snny2.bat     Feb 25 2009         107  "snnY2.bat"
sp7yvzm4.txt  Feb 22 2009          52  "Sp7yVzM4.txt"
sp7yvz~1.txt  Feb 22 2009          52  "Sp7yVzM42.txt"
sqrcmehi.bat  Feb 22 2009         148  "sqRcMEHI.bat"
sqrcme~1.bat  Feb 22 2009         108  "sqRcMEHI2.bat"
srgg.exe      Feb 25 2009        1448  "sRgG.exe"
srgg2.exe     Feb 25 2009           0  "sRgG2.exe"
ss0r.bat      Feb 24 2009         152  "Ss0R.bat"
ss0r2.bat     Feb 24 2009         110  "Ss0R2.bat"
sut.exe       Feb 22 2009           0  "SUT.exe"
sut2.exe      Feb 22 2009           0  "SUT2.exe"
svw6ez7.exe   Feb 22 2009           0  "SvW6EZ7.exe"
sycb5.txt     Feb 22 2009          51  "SyCB5.txt"
sycb52.txt    Feb 22 2009          51  "SyCB52.txt"
szm.txt       Feb 25 2009          53  "Szm.txt"
szm2.txt      Feb 25 2009          53  "Szm2.txt"
t9t.bat       Feb 22 2009        8149  "t9t.bat"
tbl.bat       Feb 24 2009        8150  "tbL.bat"
tj8iuc.exe    Feb 22 2009           0  "Tj8IuC.exe"
tj8iuc2.exe   Feb 22 2009           0  "Tj8IuC2.exe"
tmbrmg0y.bat  Feb 25 2009         152  "tmbrMg0Y.bat"
tmbrmg~1.bat  Feb 25 2009         110  "tmbrMg0Y2.bat"
tnjzmysf.txt  Feb 24 2009          48  "TNJzMySf.txt"
tnjzmy~1.txt  Feb 24 2009          48  "TNJzMySf2.txt"
tohudyie.exe  Feb 25 2009           0  "toHUDYIE.exe"
tohudy~1.exe  Feb 25 2009           0  "toHUDYIE2.exe"
ton.bat       Feb 22 2009         155  "TOn.bat"
ton2.bat      Feb 22 2009         113  "TOn2.bat"
tpvoppmj.txt  Feb 22 2009          51  "TPvopPmJ.txt"
tpvopp~1.txt  Feb 22 2009          51  "TPvopPmJ2.txt"
ttlco.bat     Feb 22 2009        8149  "TTLcO.bat"
tyn4n.bat     Feb 25 2009        8150  "tyN4N.bat"
u00rv.bat     Feb 24 2009         147  "U00Rv.bat"
u00rv2.bat    Feb 24 2009         111  "U00Rv2.bat"
u3q.bat       Feb 22 2009         148  "U3q.bat"
u3q2.bat      Feb 22 2009         108  "U3q2.bat"
u6igvjhw.txt  Feb 22 2009          54  "U6IGVjHw.txt"
u6igvj~1.txt  Feb 22 2009          54  "U6IGVjHw2.txt"
ualovwur.bat  Feb 25 2009         145  "Ualovwur.bat"
ualovw~1.bat  Feb 25 2009         109  "Ualovwur2.bat"
uatrtel.bat   Feb 22 2009        8149  "UATrTEl.bat"
uehmrg.bat    Feb 25 2009        8150  "uEHMRG.bat"
uhho30l4.bat  Feb 22 2009         152  "UHho30l4.bat"
uhho30~1.bat  Feb 22 2009         110  "UHho30l42.bat"
uiefpr0q.exe  Feb 22 2009           0  "UieFpR0q.exe"
uiefpr~1.exe  Feb 22 2009           0  "UieFpR0q2.exe"
uim2t.txt     Feb 25 2009          51  "UIM2t.txt"
uim2t2.txt    Feb 25 2009          51  "UIM2t2.txt"
ut3i.bat      Feb 25 2009         139  "ut3I.bat"
ut3i2.bat     Feb 25 2009         105  "ut3I2.bat"
v32.exe       Feb 25 2009        1448  "V32.exe"
v322.exe      Feb 25 2009        1448  "V322.exe"
v4lc3bk9.bat  Feb 22 2009         146  "v4lC3bK9.bat"
v4lc3b~1.bat  Feb 22 2009         108  "v4lC3bK92.bat"
vajl8.bat     Feb 22 2009        8149  "vajL8.bat"
vca.txt       Feb 22 2009          53  "VcA.txt"
vca2.txt      Feb 22 2009          53  "VcA2.txt"
vdhyjev.exe   Feb 24 2009        4344  "VdHYjEV.exe"
vdhyjev2.exe  Feb 24 2009        4344  "VdHYjEV2.exe"
vdom4zs.bat   Feb 25 2009        8150  "vdoM4Zs.bat"
vjh.bat       Feb 22 2009        8149  "vJh.bat"
vmbol0v.txt   Feb 25 2009          49  "vMbOL0V.txt"
vmbol0v2.txt  Feb 25 2009          49  "vMbOL0V2.txt"
vnr.txt       Feb 24 2009          49  "vnR.txt"
vnr2.txt      Feb 24 2009          49  "vnR2.txt"
vpt4a.bat     Feb 25 2009         144  "VPT4a.bat"
vpt4a2.bat    Feb 25 2009         110  "VPT4a2.bat"
vuty.txt      Feb 24 2009          50  "vUTY.txt"
vuty2.txt     Feb 24 2009          50  "vUTY2.txt"
vvj4m.bat     Feb 22 2009         142  "vVj4M.bat"
vvj4m2.bat    Feb 22 2009         108  "vVj4M2.bat"
vw7.exe       Feb 24 2009        1448  "vw7.exe"
vw72.exe      Feb 24 2009           0  "vw72.exe"
vxdlnaff.txt  Feb 25 2009          48  "vXdlNAfF.txt"
vxdlna~1.txt  Feb 25 2009          48  "vXdlNAfF2.txt"
vy1.bat       Feb 22 2009        8149  "vy1.bat"
w0zs2.exe     Feb 25 2009        1448  "w0zS2.exe"
w5o.txt       Feb 22 2009          52  "w5O.txt"
w5o2.txt      Feb 22 2009          52  "w5O2.txt"
wdmqtw.txt    Feb 24 2009          52  "wDmQTw.txt"
wdmqtw2.txt   Feb 24 2009          52  "wDmQTw2.txt"
wmp.exe       Feb 23 2009        2896  "wmp.exe"
wmp2.exe      Feb 23 2009        4344  "wmp2.exe"
wntwec.txt    Feb 22 2009          50  "wNTwec.txt"
wntwec2.txt   Feb 22 2009          50  "wNTwec2.txt"
wq4c.bat      Feb 25 2009         153  "WQ4c.bat"
wq4c2.bat     Feb 25 2009         113  "WQ4c2.bat"
wqgxu.exe     Feb 22 2009           0  "WqgXu.exe"
wqgxu2.exe    Feb 22 2009           0  "WqgXu2.exe"
wsvvt.exe     Feb 22 2009           0  "wsvvT.exe"
wsvvt2.exe    Feb 22 2009           0  "wsvvT2.exe"
wv1bmin.txt   Feb 25 2009          52  "wv1bMIN.txt"
wv1bmin2.txt  Feb 25 2009          52  "wv1bMIN2.txt"
wvvn4.bat     Feb 22 2009        8149  "wvVN4.bat"
wzrf1rx.bat   Feb 24 2009        8150  "wZRF1RX.bat"
x02yecs.txt   Feb 22 2009          53  "x02YECS.txt"
x02yecs2.txt  Feb 22 2009          53  "x02YECS2.txt"
x377f9o.bat   Feb 25 2009        8150  "x377f9O.bat"
xcqnx.bat     Feb 22 2009        8149  "xCqnX.bat"
xfyquzl.exe   Feb 25 2009        1448  "xFyQuZl.exe"
xfyquzl2.exe  Feb 25 2009        1448  "xFyQuZl2.exe"
xhp.bat       Feb 22 2009         151  "XhP.bat"
xhp2.bat      Feb 22 2009         111  "XhP2.bat"
xhvzxxkb.txt  Feb 25 2009          48  "XhVZxXkB.txt"
xhvzxx~1.txt  Feb 25 2009          48  "XhVZxXkB2.txt"
xm8xopa.txt   Feb 25 2009          53  "xm8xoPa.txt"
xm8xopa2.txt  Feb 25 2009          53  "xm8xoPa2.txt"
xp4vj.exe     Feb 24 2009        1448  "xp4Vj.exe"
xp4vj2.exe    Feb 24 2009        1448  "xp4Vj2.exe"
xvxi.txt      Feb 25 2009          52  "xvxI.txt"
xvxi2.txt     Feb 25 2009          52  "xvxI2.txt"
xzih528.bat   Feb 25 2009        8150  "XZIh528.bat"
y6xunua.txt   Feb 22 2009          52  "Y6XUNUa.txt"
y6xunua2.txt  Feb 22 2009          52  "Y6XUNUa2.txt"
ykoh.bat      Feb 22 2009        8149  "ykOH.bat"
yn8ajz.txt    Feb 22 2009          49  "yn8Ajz.txt"
yn8ajz2.txt   Feb 22 2009          49  "yn8Ajz2.txt"
yntyb.bat     Feb 24 2009         142  "yNtYb.bat"
yntyb2.bat    Feb 24 2009         106  "yNtYb2.bat"
yrxk.bat      Feb 23 2009         144  "yrXK.bat"
yrxk2.bat     Feb 23 2009         110  "yrXK2.bat"
ytdo.exe      Feb 24 2009        1448  "YtDo.exe"
ytdo2.exe     Feb 24 2009        1448  "YtDo2.exe"
z4e30.bat     Feb 22 2009         147  "Z4E30.bat"
z4e302.bat    Feb 22 2009         109  "Z4E302.bat"
z7hnwjk.bat   Feb 25 2009        8150  "z7hNWjK.bat"
zbp.bat       Feb 22 2009        8149  "zbP.bat"
ze0x4rsk.exe  Feb 25 2009           0  "zE0X4Rsk.exe"
ze0x4r~1.exe  Feb 25 2009        1448  "zE0X4Rsk2.exe"
zk4cly.txt    Feb 22 2009          53  "zK4clY.txt"
zk4cly2.txt   Feb 22 2009          53  "zK4clY2.txt"
zqe4ygpz.bat  Feb 25 2009        8150  "ZQE4Ygpz.bat"
zrvab.txt     Feb 22 2009          51  "ZRvAB.txt"
zrvab2.txt    Feb 22 2009          51  "ZRvAB2.txt"
ztxruwc.bat   Feb 25 2009         144  "ZtxruwC.bat"
ztxruwc2.bat  Feb 25 2009         110  "ZtxruwC2.bat"
zvzsnjgo.bat  Feb 25 2009        8150  "ZvzSNJGO.bat"

C:\WINDOWS\Tasks\"
at1.job       Feb 27 2009         386  "At1.job"
at10.job      Feb 25 2009         386  "At10.job"
at11.job      Feb 25 2009         386  "At11.job"
at12.job      Feb 25 2009         386  "At12.job"
at13.job      Feb 25 2009         386  "At13.job"
at14.job      Feb 25 2009         386  "At14.job"
at15.job      Feb 25 2009         386  "At15.job"
at16.job      Feb 25 2009         386  "At16.job"
at17.job      Feb 25 2009         386  "At17.job"
at18.job      Feb 25 2009         386  "At18.job"
at19.job      Feb 25 2009         386  "At19.job"
at2.job       Feb 27 2009         386  "At2.job"
at20.job      Feb 25 2009         386  "At20.job"
at21.job      Feb 25 2009         386  "At21.job"
at22.job      Feb 25 2009         386  "At22.job"
at23.job      Feb 25 2009         386  "At23.job"
at24.job      Feb 25 2009         386  "At24.job"
at25.job      Feb 25 2009         386  "At25.job"
at26.job      Feb 25 2009         386  "At26.job"
at27.job      Feb 25 2009         386  "At27.job"
at28.job      Feb 25 2009         386  "At28.job"
at29.job      Feb 25 2009         386  "At29.job"
at3.job       Feb 25 2009         386  "At3.job"
at30.job      Feb 25 2009         386  "At30.job"
at31.job      Feb 25 2009         386  "At31.job"
at32.job      Feb 25 2009         386  "At32.job"
at33.job      Feb 25 2009         386  "At33.job"
at34.job      Feb 25 2009         386  "At34.job"
at35.job      Feb 25 2009         386  "At35.job"
at36.job      Mar  1 2009         386  "At36.job"
at37.job      Feb 25 2009         386  "At37.job"
at38.job      Feb 25 2009         386  "At38.job"
at39.job      Feb 25 2009         386  "At39.job"
at4.job       Feb 25 2009         386  "At4.job"
at40.job      Feb 25 2009         386  "At40.job"
at41.job      Feb 25 2009         386  "At41.job"
at42.job      Feb 25 2009         386  "At42.job"
at43.job      Feb 25 2009         386  "At43.job"
at44.job      Feb 25 2009         386  "At44.job"
at45.job      Feb 25 2009         386  "At45.job"
at46.job      Feb 25 2009         386  "At46.job"
at47.job      Feb 25 2009         386  "At47.job"
at48.job      Feb 25 2009         386  "At48.job"
at49.job      Feb 25 2009         386  "At49.job"
at5.job       Feb 25 2009         386  "At5.job"
at50.job      Feb 25 2009         386  "At50.job"
at51.job      Feb 25 2009         386  "At51.job"
at52.job      Feb 25 2009         386  "At52.job"
at53.job      Feb 25 2009         386  "At53.job"
at54.job      Feb 25 2009         386  "At54.job"
at55.job      Feb 25 2009         386  "At55.job"
at56.job      Feb 25 2009         386  "At56.job"
at57.job      Feb 25 2009         386  "At57.job"
at58.job      Feb 28 2009         386  "At58.job"
at59.job      Feb 28 2009         386  "At59.job"
at6.job       Feb 25 2009         386  "At6.job"
at60.job      Feb 28 2009         386  "At60.job"
at61.job      Feb 28 2009         386  "At61.job"
at62.job      Feb 28 2009         386  "At62.job"
at63.job      Feb 28 2009         386  "At63.job"
at64.job      Feb 28 2009         386  "At64.job"
at65.job      Feb 28 2009         386  "At65.job"
at66.job      Feb 28 2009         386  "At66.job"
at67.job      Feb 28 2009         386  "At67.job"
at68.job      Feb 28 2009         386  "At68.job"
at69.job      Feb 28 2009         386  "At69.job"
at7.job       Feb 25 2009         386  "At7.job"
at70.job      Feb 28 2009         386  "At70.job"
at71.job      Feb 28 2009         386  "At71.job"
at72.job      Feb 28 2009         386  "At72.job"
at73.job      Feb 28 2009         386  "At73.job"
at74.job      Feb 28 2009         386  "At74.job"
at75.job      Feb 28 2009         386  "At75.job"
at76.job      Feb 28 2009         386  "At76.job"
at77.job      Feb 28 2009         386  "At77.job"
at78.job      Feb 28 2009         386  "At78.job"
at79.job      Feb 28 2009         386  "At79.job"
at8.job       Feb 25 2009         386  "At8.job"
at80.job      Feb 28 2009         386  "At80.job"
at81.job      Feb 28 2009         386  "At81.job"
at82.job      Feb 26 2009         386  "At82.job"
at83.job      Feb 26 2009         386  "At83.job"
at84.job      Feb 26 2009         386  "At84.job"
at85.job      Feb 26 2009         386  "At85.job"
at86.job      Feb 26 2009         386  "At86.job"
at87.job      Feb 26 2009         386  "At87.job"
at88.job      Feb 26 2009         386  "At88.job"
at89.job      Feb 26 2009         386  "At89.job"
at9.job       Feb 25 2009         386  "At9.job"
at90.job      Feb 26 2009         386  "At90.job"
at91.job      Feb 26 2009         386  "At91.job"
at92.job      Feb 26 2009         386  "At92.job"
at93.job      Feb 26 2009         386  "At93.job"
at94.job      Feb 26 2009         386  "At94.job"
at95.job      Feb 26 2009         386  "At95.job"
at96.job 
[/B]
    You also need to empty this folder:
    C:\Documents and Settings\Owen\Local Settings\temp\

    Then please run new scans using SAS, MBAM, Combo and then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    Last edited: Mar 2, 2009
    TimW, Mar 2, 2009
    #9
  10. chachie

    chachie Private E-2

    Here's the new C:\MGlogs.zip file and Combofix log.
    I removed what you asked using HJT and The Avenger.
    MBAM and SAS didn't find anything.
    Thanks again.
     

    Attached Files:

    chachie, Mar 4, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
 
File::
C:\a7y.bat
C:\A8IJ00l7.txt
C:\A8IJ00l72.txt
C:\ACo.bat
C:\ACo2.bat
C:\AcwFyw.bat
C:\AcwFyw2.bat
C:\aehYzNVN.exe
C:\aehYzNVN2.exe
C:\AEV.bat
C:\AEV2.bat
C:\aFDf9ES.txt
C:\aFDf9ES2.txt
C:\aGAW.txt
C:\aGAW2.txt
C:\AOm.bat
C:\AOm2.bat
C:\AUOAGyd.exe
C:\AUOAGyd2.exe
C:\bjd.exe
C:\bjd2.exe
C:\bl4EO.bat
C:\BSK.bat
C:\BSK2.bat
C:\BuFK0f.bat
C:\BuFK0f2.bat
C:\bvwx.exe
C:\bvwx2.exe
C:\Bxnk5Fe.bat
C:\Bxnk5Fe2.bat
C:\byveGcDj.bat
C:\byYU.bat
C:\byYU2.bat
C:\c6nMd.bat
C:\c6nMd2.bat
C:\C80.exe
C:\C802.exe
C:\cBv01yVp.bat
C:\CPcmn9u.bat
C:\cppfeIz.txt
C:\cppfeIz2.txt
C:\CsBA.txt
C:\CsBA2.txt
C:\cuG.bat
C:\cuG2.bat
C:\CVIt.exe
C:\CVIt2.exe
C:\CVT.bat
C:\CVT2.bat
C:\cxW.txt
C:\cxW2.txt
C:\d015.bat
C:\d0152.bat
C:\D7tRZ.bat
C:\D7tRZ2.bat
C:\d9R.bat
C:\DBJqp.txt
C:\DBJqp2.txt
C:\DEEEXtV.bat
C:\DEEEXtV2.bat
C:\DSUXL.exe
C:\DSUXL2.exe
C:\dY0b.txt
C:\dY0b2.txt
C:\eesNo.bat
C:\eHsvvQ.txt
C:\eHsvvQ2.txt
C:\eKz.txt
C:\eKz2.txt
C:\eQ9NPj.bat
C:\EwYW.exe
C:\EwYW2.exe
C:\fFjklFM.exe
C:\fFjklFM2.exe
C:\fIy.exe
C:\fIy2.exe
C:\FMtV.bat
C:\FMtV2.bat
C:\fPRGy3.bat
C:\fr5e.txt
C:\fr5e2.txt
C:\fS0uPAd.bat
C:\fS0uPAd2.bat
C:\fT82j2Td.bat
C:\fT82j2Td2.bat
C:\FTO.exe
C:\FTO2.exe
C:\fUKA3.bat
C:\fUKA32.bat
C:\fuLXLwO.txt
C:\fuLXLwO2.txt
C:\g7tXUKNh.bat
C:\G9otNvJL.txt
C:\G9otNvJL2.txt
C:\gaXw.bat
C:\gBF.bat
C:\gBF2.bat
C:\Gdx7.bat
C:\Gdx72.bat
C:\gE6CQR.txt
C:\gE6CQR2.txt
C:\gE7AToW.exe
C:\gE7AToW2.exe
C:\GG979.bat
C:\GG9792.bat
C:\ggj58gQa.bat
C:\gh4dx.bat
C:\gh4dx2.bat
C:\GI0kiF.exe
C:\GI0kiF2.exe
C:\Gi9Fak.bat
C:\Gi9Fak2.bat
C:\GKi496Hf.bat
C:\GKyZ.bat
C:\gMirQ.exe
C:\gMirQ2.exe
C:\gPhwM0He.txt
C:\gPhwM0He2.txt
C:\GTXcAP.bat
C:\GTXcAP2.bat
C:\GWq5.exe
C:\GWq52.exe
C:\gZ9c.txt
C:\gZ9c2.txt
C:\gzKakgHQ.bat
C:\gzKakgHQ2.bat
C:\h3SOW.bat
C:\H91VtEO.bat
C:\H91VtEO2.bat
C:\H9C.exe
C:\H9C2.exe
C:\Hci.exe
C:\Hci2.exe
C:\Hd8T9.bat
C:\Hd8T92.bat
C:\hdoMZ.exe
C:\hdoMZ2.exe
C:\HEDpHC6.bat
C:\HHmh.bat
C:\hK4km3l.bat
C:\hK4km3l2.bat
C:\HOYiYfg1.bat
C:\Hrj7.exe
C:\Hrj72.exe
C:\HZXdG.bat
C:\HZXdG2.bat
C:\i4c.txt
C:\i4c2.txt
C:\i4Do.bat
C:\i4Do2.bat
C:\i9LnlZ6.bat
C:\iAv.bat
C:\iCZPMk.bat
C:\IfeU.exe
C:\IfeU2.exe
C:\iFw.bat
C:\IgLuXz.bat
C:\ih67Gf3l.bat
C:\IhGI1w3I.bat
C:\ihGmoN.bat
C:\ihGmoN2.bat
C:\imcUV1v.exe
C:\imcUV1v2.exe
C:\ImXkrIVg.txt
C:\ImXkrIVg2.txt
C:\IsJPwHlo2.exe
C:\IsJySo1.exe
C:\iuH47.bat
C:\IVT7.bat
C:\IVT72.bat
C:\J1djD.bat
C:\J1djD2.bat
C:\J1FHUdJ.txt
C:\J1FHUdJ2.txt
C:\Jby6LFhP.exe
C:\Jby6LFhP2.exe
C:\JdBIZ5G.bat
C:\Jdrv.bat
C:\JeVreJ1.bat
C:\JeVreJ12.bat
C:\Jib.bat
C:\jlkBOS.bat
C:\jlkBOS2.bat
C:\jn2JEzMR.exe
C:\jn2JEzMR2.exe
C:\jNcqu.bat
C:\JQhuER5Y.bat
C:\JQhuER5Y2.bat
C:\jRyHte.bat
C:\k0k2mj.txt
C:\k0k2mj2.txt
C:\kD2VWQry.exe
C:\kD2VWQry2.exe
C:\kE0fvKvN.txt
C:\kE0fvKvN2.txt
C:\kG82K.txt
C:\kG82K2.txt
C:\kgqZ.txt
C:\kgqZ2.txt
C:\KM1.txt
C:\KM12.txt
C:\kt95dQ.exe
C:\kt95dQ2.exe
C:\kU6RWT.txt
C:\kU6RWT2.txt
C:\Kvmk4Qv.txt
C:\Kvmk4Qv2.txt
C:\kX43xjP.bat
C:\kX43xjP2.bat
C:\lbV9M.bat
C:\lI0yVU6.exe
C:\lJ1wCIK.bat
C:\lJ1wCIK2.bat
C:\Lk5.bat
C:\lLeLQgz6.txt
C:\lLeLQgz62.txt
C:\LLfH.txt
C:\LLfH2.txt
C:\lmnQn.bat
C:\Ln9WxXe.bat
C:\lxyr.bat
C:\lxyr2.bat
C:\LXZJp.exe
C:\LXZJp2.exe
C:\LYhjw.bat
C:\M4Dm81qE.bat
C:\MBpF.txt
C:\MBpF2.txt
C:\MEY.bat
C:\MEY2.bat
C:\Mfjo31O1.txt
C:\Mfjo31O12.txt
C:\mFl90k.exe
C:\mFl90k2.exe
C:\mKwo2.exe
C:\MUJmEsP.exe
C:\MUJmEsP2.exe
C:\mXVjRy.bat
C:\mXVjRy2.bat
C:\N0sEU.txt
C:\N0sEU2.txt
C:\n24ihRiY.bat
C:\NbIgbI8e.bat
C:\NbIgbI8e2.bat
C:\nBzuB.bat
C:\NDeNVIn5.bat
C:\NDeNVIn52.bat
C:\NEoZG.txt
C:\NEoZG2.txt
C:\nGjfo.bat
C:\NhCBz2xJ.bat
C:\NhCBz2xJ2.bat
C:\NIN.bat
C:\NIN2.bat
C:\nm5JyJab.txt
C:\nm5JyJab2.txt
C:\NrkVlb6.bat
C:\NrkVlb62.bat
C:\Ns1EB.bat
C:\NwW.exe
C:\NwW2.exe
C:\NY2.exe
C:\NY22.exe
C:\oAGTtUG.exe
C:\oAGTtUG2.exe
C:\OaK0hnfs.exe
C:\OaK0hnfs2.exe
C:\OBf4.bat
C:\OBf42.bat
C:\oCrR9IY.exe
C:\oCrR9IY2.exe
C:\oEQWhY.exe
C:\oEQWhY2.exe
C:\OIL9S2Qe.txt
C:\OIL9S2Qe2.txt
C:\OLJegu.exe
C:\OLJegu2.exe
C:\olRNAi.exe
C:\olRNAi2.exe
C:\Owmx7pwp.bat
C:\owPjizRT.bat
C:\OXKG.exe
C:\OXKG2.exe
C:\P2yPsC.exe
C:\P2yPsC2.exe
C:\P4b8w.exe
C:\P4b8w2.exe
C:\p9H.bat
C:\PaIj7v9S.exe
C:\PaIj7v9S2.exe
C:\pCxvYw.bat
C:\pCxvYw2.bat
C:\pfOi5I.exe
C:\pfOi5I2.exe
C:\PLsTaOi.bat
C:\PLsTaOi2.bat
C:\pMrbkab.txt
C:\pMrbkab2.txt
C:\Pms1G.txt
C:\Pms1G2.txt
C:\pnEMmV.txt
C:\pnEMmV2.txt
C:\po8SVDzV.txt
C:\po8SVDzV2.txt
C:\pSp.bat
C:\pWN7h.exe
C:\pWN7h2.exe
C:\qd8rqj.txt
C:\qd8rqj2.txt
C:\qFFrOT.txt
C:\qFFrOT2.txt
C:\qhtDp8Um.bat
C:\qhtDp8Um2.bat
C:\qRSY.txt
C:\qRSY2.txt
C:\qSq.bat
C:\qygP6ExO.txt
C:\qygP6ExO2.txt
C:\QzBcpg3y.txt
C:\QzBcpg3y2.txt
C:\r2C.bat
C:\Rc7pVE.txt
C:\Rc7pVE2.txt
C:\RFCNal.bat
C:\RjlDkPhZ.bat
C:\RJnzzo4.exe
C:\RJnzzo42.exe
C:\rjpQwHfL.exe
C:\rjpQwHfL2.exe
C:\rn9OXXcp.txt
C:\rn9OXXcp2.txt
C:\rUEX.exe
C:\rUEX2.exe
C:\RvcX.bat
C:\RvcX2.bat
C:\rxeWeqS.bat
C:\S0NEl.exe
C:\S0NEl2.exe
C:\s8u7R.exe
C:\s8u7R2.exe
C:\saW.exe
C:\saW2.exe
C:\SENkRLtn.txt
C:\SENkRLtn2.txt
C:\sfsXX.exe
C:\sfsXX2.exe
C:\ShrYk0.txt
C:\ShrYk02.txt
C:\SHZ0G8.exe
C:\SHZ0G82.exe
C:\SIl.bat
C:\SIl2.bat
C:\SKa4F.bat
C:\snnY.bat
C:\snnY2.bat
C:\Sp7yVzM4.txt
C:\Sp7yVzM42.txt
C:\sqRcMEHI.bat
C:\sqRcMEHI2.bat
C:\sRgG.exe
C:\sRgG2.exe
C:\Ss0R.bat
C:\Ss0R2.bat
C:\Start_.cmd
C:\SUT.exe
C:\SUT2.exe
C:\SvW6EZ7.exe
C:\SyCB5.txt
C:\SyCB52.txt
C:\Szm.txt
C:\Szm2.txt
C:\t9t.bat
C:\tbL.bat
C:\Tj8IuC.exe
C:\Tj8IuC2.exe
C:\tmbrMg0Y.bat
C:\tmbrMg0Y2.bat
C:\TNJzMySf.txt
C:\TNJzMySf2.txt
C:\toHUDYIE.exe
C:\toHUDYIE2.exe
C:\TOn.bat
C:\TOn2.bat
C:\TPvopPmJ.txt
C:\TPvopPmJ2.txt
C:\TTLcO.bat
C:\tyN4N.bat
C:\U00Rv.bat
C:\U00Rv2.bat
C:\U3q.bat
C:\U3q2.bat
C:\U6IGVjHw.txt
C:\U6IGVjHw2.txt
C:\Ualovwur.bat
C:\Ualovwur2.bat
C:\UATrTEl.bat
C:\uEHMRG.bat
C:\UHho30l4.bat
C:\UHho30l42.bat
C:\UieFpR0q.exe
C:\UieFpR0q2.exe
C:\UIM2t.txt
C:\UIM2t2.txt
C:\ut3I.bat
C:\ut3I2.bat
C:\V32.exe
C:\V322.exe
C:\v4lC3bK9.bat
C:\v4lC3bK92.bat
C:\vajL8.bat
C:\VcA.txt
C:\VcA2.txt
C:\VdHYjEV.exe
C:\VdHYjEV2.exe
C:\vdoM4Zs.bat
C:\vJh.bat
C:\vMbOL0V.txt
C:\vMbOL0V2.txt
C:\vnR.txt
C:\vnR2.txt
C:\VPT4a.bat
C:\VPT4a2.bat
C:\vUTY.txt
C:\vUTY2.txt
C:\vVj4M.bat
C:\vVj4M2.bat
C:\vw7.exe
C:\vw72.exe
C:\vXdlNAfF.txt
C:\vXdlNAfF2.txt
C:\vy1.bat
C:\w0zS2.exe
C:\w5O.txt
C:\w5O2.txt
C:\wDmQTw.txt
C:\wDmQTw2.txt
C:\wmp.exe
C:\wmp2.exe
C:\wNTwec.txt
C:\wNTwec2.txt
C:\WQ4c.bat
C:\WQ4c2.bat
C:\WqgXu.exe
C:\WqgXu2.exe
C:\wsvvT.exe
C:\wsvvT2.exe
C:\wv1bMIN.txt
C:\wv1bMIN2.txt
C:\wvVN4.bat
C:\wZRF1RX.bat
C:\x02YECS.txt
C:\x02YECS2.txt
C:\x377f9O.bat
C:\xCqnX.bat
C:\xFyQuZl.exe
C:\xFyQuZl2.exe
C:\XhP.bat
C:\XhP2.bat
C:\XhVZxXkB.txt
C:\XhVZxXkB2.txt
C:\xm8xoPa.txt
C:\xm8xoPa2.txt
C:\xp4Vj.exe
C:\xp4Vj2.exe
C:\xvxI.txt
C:\xvxI2.txt
C:\XZIh528.bat
C:\Y6XUNUa.txt
C:\Y6XUNUa2.txt
C:\ykOH.bat
C:\yn8Ajz.txt
C:\yn8Ajz2.txt
C:\yNtYb.bat
C:\yNtYb2.bat
C:\yrXK.bat
C:\yrXK2.bat
C:\YtDo.exe
C:\YtDo2.exe
C:\Z4E30.bat
C:\Z4E302.bat
C:\z7hNWjK.bat
C:\zbP.bat
C:\zE0X4Rsk.exe
C:\zE0X4Rsk2.exe
C:\zK4clY.txt
C:\zK4clY2.txt
C:\ZQE4Ygpz.bat
C:\ZRvAB.txt
C:\ZRvAB2.txt
C:\ZtxruwC.bat
C:\ZtxruwC2.bat
C:\ZvzSNJGO.bat
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Attach the new log. Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    Last edited by a moderator: Mar 5, 2009
    TimW, Mar 5, 2009
    #11
  12. chachie

    chachie Private E-2

    Here they are...
     

    Attached Files:

    chachie, Mar 6, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are getting there.

    Please run this:
    HTA zip.

    And then attach the new MGLogs.zip
     
    TimW, Mar 6, 2009
    #13
  14. chachie

    chachie Private E-2

    I cannot get linked to the HTA zip - It seems I don't have permission.

    "chachie, you do not have permission to access this page. This could be due to one of several reasons:

    1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
    2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation."
     
    chachie, Mar 6, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    My fault.....
     

    Attached Files:

    TimW, Mar 6, 2009
    #15
  16. chachie

    chachie Private E-2

    Here they are...
     

    Attached Files:

    chachie, Mar 6, 2009
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet, your logs are finally clean. We just need to put the suspected mshta.exe back. To do that, look in the C:\Avenger folder, the most recent backup is called backup.zip and the password is "infected". C:\WINDOWS\System32\mshta.exe --> tell me if you have any problems doing this.
     
    TimW, Mar 7, 2009
    #17
  18. chachie

    chachie Private E-2

    I apologize, but I'm not sure to replace the file.
    I'm not too savy with scripting or anything That Avenger does.
    Would hate to come this far not to cross the finish line running.
    Thanks again!
     
    chachie, Mar 7, 2009
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You just have to open the "backup zip" using the password "infected" are restore that item.
     
    TimW, Mar 10, 2009
    #19
  20. chachie

    chachie Private E-2

    I have no problem opening the file, but how do I restore mshta.exe?
    I see no mention of it in the file.
    I would attach it, but it is too big to upload for a .txt.
    Thanks again for your patience.
     
    chachie, Mar 10, 2009
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you can't find it, then go to start / run / type "sfc /scannow" without quotes and have your xp cd handly. It will check for missing or corrupt system files. Run it twice.

    Otherwise, you are good to go unless you have some other issues.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Mar 13, 2009
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds