Recommended use of ComboFIX

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Recommended use of ComboFIX

Options

bdgiant View Member Profile	Jul 2 2009, 10:21 AM Post #1
New Member Group: Members Posts: 3 Joined: 2-July 09 Member No.: 347,530	Hey. I've been trying to rid Trojans and Malware from my computer. I'm using Windows XP w/ ESET's "NOD32" virus protection. I've been working with ESET to get rid of my virus. After about a week, they told be to use combofix since they couldn't figure out how to remove a trojan. I've read It's highly recommended not to use combofix without the direct supervision of a pro. Who should I look to? What is my first step? Thanks! This post has been edited by boopme: Jul 2 2009, 12:22 PM Reason for edit: Moved from:AntiVirus, Firewall and Privacy Products and Protection Methods to AII~~boopme

Blade Zephon View Member Profile	Jul 2 2009, 10:39 AM Post #2
System Guardian Group: HJT Senior Classmen Posts: 2,972 Joined: 20-January 09 From: US Member No.: 285,001	Hello bdgiant and to Bleepingcomputer You are correct, Combofix is extremely dangerous to use without the direction and supervision of a specialist. It can actually cause problems when used as directed; such things are inevitable when you're using such a powerful tool though. One of the reasons for advising that you not run it unless supervised is so that side effects may be dealt with if and when they arise. I'll have this thread relocated to Am I infected? What do I do? and will be glad to help you with your malware issues. We're not going to use Combofix though; it's use is restricted to the special Malware Removal forum. If we can't solve your problems with some basic techniques, we'll send you to the Malware Removal forum for advanced removal. First we'll try to get rid of whatever is plaguing your system with some simple tools; if that fails we'll see where we need to go from there. Could you describe in detail what the issue with your machine is? I understand you've found malware, but what symptoms are you experiencing? What are the filenames of the detected files? Et cetera. If this first tool doesn't kill it, that information will come in handy in determining the next step. Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download! MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes. Make sure you are connected to the Internet. Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen: Click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system. Exit MBAM when done. Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. In your next reply, please include the following: Description of your issues Malwarebytes log -------------------- Member of the *Bleeping Computer* A.I.I. early response team! If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please feel free to send me a PM

bdgiant View Member Profile	Jul 6 2009, 12:49 PM Post #3
New Member Group: Members Posts: 3 Joined: 2-July 09 Member No.: 347,530	From the start, I believe I unintentionally installed "scare ware." Before I could read the pop-up prompt, I clicked "yes" to install the false antispyware thinking it was the "would you like to close this window" pop-up. NOD32 can't clean the trojan. It can detect it, but unable to clean it. It reads: Object: Operating memory Threat: Win32/Rootkit.Agent.ODG.Trojan Information: Unable to clean The virus stopped the application process of running any antispy/malware programs - Adaware, Spybot S&D, Superantispyware, and Malwarebytes. They would show up on the Task Mgr, but the application would not run. Upon startup, an error message would even tell me the windows application manager was unable to start. Other than running a little sluggish and the constant virus warnings, the only other symptom I found was every link in my Yahoo searches was redirected to more ads for various things. I found an "alternate start" application for superantispyware which cleaned a lot of bugs, then I was able run malwarebytes. I did uninstall Adaware and Spybot S&D beforehand as instructed. However, after a few days, the bugs re-downloaded and installed themselves again with the same problems. Malware and superantispyware both say they will complete removal upon restart (and I do immediately), but are still on my machine. Malwarebytes log: Malwarebytes' Anti-Malware 1.38 Database version: 2380 Windows 5.1.2600 Service Pack 3 7/6/2009 12:05:10 PM mbam-log-2009-07-06 (12-05-10).txt Scan type: Quick Scan Objects scanned: 91429 Time elapsed: 3 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\UACeuuskjhbxihulmq.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACkyabiytymaelkwa.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACltbjgvhoqotenlg.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACqcrsqntqkibcuwq.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACqmtjmjuoxptvrxt.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACtvtyedoeenqayea.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\UACexbbpeyotvrdqjk.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Blade Zephon View Member Profile	Jul 6 2009, 01:16 PM Post #4
System Guardian Group: HJT Senior Classmen Posts: 2,972 Joined: 20-January 09 From: US Member No.: 285,001	With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread. It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way! -------------------- Member of the *Bleeping Computer* A.I.I. early response team! If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please feel free to send me a PM

bdgiant View Member Profile	Jul 8 2009, 06:10 PM Post #5
New Member Group: Members Posts: 3 Joined: 2-July 09 Member No.: 347,530	Through some research, I found a couple other programs: RootRepeal to find out what the virus was (couldn't delete) then Dr.Web's CureIt! I had to go in and manually delete a couple files that were being duplicated as soon as cureit deleted them. I've done a couple more scans of my computer with no bugs detected. I'll continue to be cautious for the next week in case it's still buried. Hopefully it's done will.

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 8th November 2009 - 11:31 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides