Can you turn on System Restore. Uninstall ComboFix. Then download and run it again and post the new log.
Administrator
Can you turn on System Restore. Uninstall ComboFix. Then download and run it again and post the new log.
High-Voltage Messiah
Actually, hold off on this for a bit until I can put together a CFScript to run with it since we're going to need to run it again anyway...Originally Posted by jholland1964
High-Voltage Messiah
Hi Shark74,
-- I do think a tool such as Acronis would be beneficial. Obviously, if you were to use it on a student's compy, there would be privacy issues that would come into play.
Of course, if you are the one tasked with cleaning their computers, that I think that would override any privacy concerns....
-- Your combofix log shows a lot of malware autorunning via external drive, as you suspected.
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{439bddb1-a2b3-11dc-aaf1-0016d457db95}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c57f052a-ca63-11dc-ab0c-0016d457db95}]
\Shell\Auto\command - F:\Pictures.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Pictures.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{eee99ee9-9a63-11dc-aae3-0016d457db95}]
\Shell\AutoRun\command - asfsadfasddfasfsd.exe
etc.....
I am going to remove all those registry keys, but that is only a temporary measure until the next time an infected drive is accessed...
A tool such as Flash-Disinfector by sUBs
http://www.techsupportforum.com/sect...isinfector.exe may help when you have the drives in your possession.
-- Do you know what this is? --> C:\WINDOWS\system32\PolicyBU.reg
I imagine it tweaks Explorer Policy registry values. Probably nothing to worry about.
What about this one? --->C:\toolkit_widget.gif
Anyhoo, let's do this:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag and drop CFScript.txt into/over ComboFix.exe to start ComboFix
-- Let Combofix run as before and post us that log and we'll go from there.
Cheers
PP
Last edited by PhilliePhan; 01-29-2008 at 04:03 PM.
Junior Member
Dear PP.
Thanks for the prompt response.
I do not know what the two items are you pointed out.
C:\WINDOWS\system32\PolicyBU.reg
C:\toolkit_widget.gif
Will clean them....
Yes... that ntde1ect.com infections you pointing out... turned me old before my time last year, it was bad,
Also followed your instructions and here be the combofix log 3 requested.
Thanks for your time...
Shark74
High-Voltage Messiah
Happy to help
-- Actually, if you could Zip and attach
C:\WINDOWS\system32\PolicyBU.reg
C:\toolkit_widget.gif
C:\f8caf2971233e80203
for me, that would be great.
I doubt that they are anything to worry about, but I'd like to see them before sounding the "all clear."
-- Combofix looks OK - It did not find any of the files I was looking for (those referenced by the reg keys), so I doubt they are on your compy.
-- I am not sure what could be causing the Wifi connection problems you mentioned in previous post - could it have to do with the new addition of MTN F@stLink Data Card?
I would like to see the following:
-- Kaspersky Online Scanlog (from the Read Me First Sticky post)
-- Update AVG Anti-spyware definitions and get me that scanlog as well, please. (also in Read Me)
-- And a fresh HijackThis log
And we'll see what remains to be done.
Best
PP
Last edited by PhilliePhan; 01-29-2008 at 04:49 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
