BleepingComputer.com: Recommended use of ComboFIX

Hey. I've been trying to rid Trojans and Malware from my computer. I'm using Windows XP w/ ESET's "NOD32" virus protection.

I've been working with ESET to get rid of my virus. After about a week, they told be to use combofix since they couldn't figure out how to remove a trojan.

I've read It's highly recommended not to use combofix without the direct supervision of a pro. Who should I look to? What is my first step?

Thanks!

Hello bdgiant and to Bleepingcomputer

You are correct, Combofix is extremely dangerous to use without the direction and supervision of a specialist. It can actually cause problems when used as directed; such things are inevitable when you're using such a powerful tool though. One of the reasons for advising that you not run it unless supervised is so that side effects may be dealt with if and when they arise.

I'll have this thread relocated to Am I infected? What do I do? and will be glad to help you with your malware issues. We're not going to use Combofix though; it's use is restricted to the special Malware Removal forum. If we can't solve your problems with some basic techniques, we'll send you to the Malware Removal forum for advanced removal.

First we'll try to get rid of whatever is plaguing your system with some simple tools; if that fails we'll see where we need to go from there.

Could you describe in detail what the issue with your machine is? I understand you've found malware, but what symptoms are you experiencing? What are the filenames of the detected files? Et cetera. If this first tool doesn't kill it, that information will come in handy in determining the next step.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

In your next reply, please include the following:
Description of your issues
Malwarebytes log

From the start, I believe I unintentionally installed "scare ware." Before I could read the pop-up prompt, I clicked "yes" to install the false antispyware thinking it was the "would you like to close this window" pop-up.

NOD32 can't clean the trojan. It can detect it, but unable to clean it. It reads:
Object: Operating memory
Threat: Win32/Rootkit.Agent.ODG.Trojan
Information: Unable to clean

The virus stopped the application process of running any antispy/malware programs - Adaware, Spybot S&D, Superantispyware, and Malwarebytes. They would show up on the Task Mgr, but the application would not run. Upon startup, an error message would even tell me the windows application manager was unable to start. Other than running a little sluggish and the constant virus warnings, the only other symptom I found was every link in my Yahoo searches was redirected to more ads for various things.

I found an "alternate start" application for superantispyware which cleaned a lot of bugs, then I was able run malwarebytes. I did uninstall Adaware and Spybot S&D beforehand as instructed. However, after a few days, the bugs re-downloaded and installed themselves again with the same problems.

Malware and superantispyware both say they will complete removal upon restart (and I do immediately), but are still on my machine.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.38
Database version: 2380
Windows 5.1.2600 Service Pack 3

7/6/2009 12:05:10 PM
mbam-log-2009-07-06 (12-05-10).txt

Scan type: Quick Scan
Objects scanned: 91429
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACeuuskjhbxihulmq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACkyabiytymaelkwa.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACltbjgvhoqotenlg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACqcrsqntqkibcuwq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACqmtjmjuoxptvrxt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtvtyedoeenqayea.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACexbbpeyotvrdqjk.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Through some research, I found a couple other programs: RootRepeal to find out what the virus was (couldn't delete) then Dr.Web's CureIt!

I had to go in and manually delete a couple files that were being duplicated as soon as cureit deleted them. I've done a couple more scans of my computer with no bugs detected. I'll continue to be cautious for the next week in case it's still buried. Hopefully it's done will.