BleepingComputer.com: I Think I Need To Run ComboFix...

Hey people, I've been reading this board for awhile & think it's one of the best. I now need some help from you good people

I'll try to make this short. I keep my computer in my basement office & like a fool, I've allowed a few employee's & some friends use of my computer. I've noticed some problems recently & suspect those people have been going to adult sites & probably picked up some nasty trojan/adware stuff. I can't be sure of that but it's the only thing that makes sense, since I'm very careful myself online

The problems are many...

#1: Awhile back I couldn't get to my desktop, I believe I had the black screen of death. I made another account & was able to get it back. The only problem is I can't run my Trend Micro anymore. It just won't open or run. So, one account isn't working & one account is but with problems

#2: For the past few days, I could only get to my desktop & online via safe mode. When I got on normal mode, I couldn't get online. Then, after a few days, I simply got the black screen of death

#3: I hit F8 & saw the "last good configuration" listing & hit that. That got me back to my normal mode but with the same problems as before. I can get online now but I can't run certain things. Also, my computer keeps freezing up, doing strange things, that sort of thing

I'm almost sure it's viruses or ad/spyware. I have run a few anti-virus programs like Avast & Avira, plus Trend Micro in safe mode & they don't find anything. I've also run Malwarebytes which found nothing. Super-antispyware found about 50 ad cookies which I removed

So, I'm thinking of running ComboFix but read on this site it should be done under the supervision of trained people. Should I indeed run this?

I was going to wipe out my computer & try to re-install back to the original factory settings but decided I had too many things that I'd lose. I can't get my backup drive to burn a CD & don't have the disk for Vista anyway. All I know is I'm sick of the slowness, the freezes & the general BS I'm having to put up with

Help please

If you want to run ComboFix due to malware infection, please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses.

Quote

Do you have all three installed or did you remove and replace with another before running?

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd


Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

• Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  
• If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  
• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.

• When the program opens, click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
  Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  
• A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.


Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!

• Be sure to read all the information Norman provides on that same page.
  
• Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
  The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  
• Read the End User License Agreement and click the Accept button to open the scanning window.
  
• Click Start Scan to begin.
  
• In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  
• After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  
• Copy and paste the contents of that file in your next reply.

-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Thanks for the response Quiet (& hopefully help throughout the process)

I have all three anti-virus programs installed. My original, Trend Micro, will only run in safe mode & then, it only runs a quick scan. The program will not open normally. I also have McAfee but haven't run that in ages

OK, I'll do as directed & post the results soon. I don't have a lot of time so it may be a day or two

Again, thanks for your help

I'm running another full scan now. If there's anything new, I'll post it. Here's the last Malwarebytes log from a few days ago...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18999

1/23/2011 9:02:45 PM
mbam-log-2011-01-23 (21-02-45).txt

Scan type: Quick scan
Objects scanned: 126070
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This post has been edited by 7Mozart7: 29 January 2011 - 11:07 AM

After completing the reminder of my previous instructions, continue as follows:

Your Malwarebytes Anti-Malware log indicates you are using an older version (1.46) with with an outdated database. Please download and install the most current version (v1.50.1) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

The database shows 4052. Last I checked it was 5636.

Update the database through the program's interface <- preferable method. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

If malware is blocking you from updating, then manually download the database definitions from one of the following locations (they may not be the most current) and just double-click on mbam-rules.exe to install:

• download link 1 <- under Download Locations, choose the MajorGeeks link
  
• download link 2

IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even if one of them is disabled for use as a stand-alone scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms while trying to use it.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Anti-virus vendors recommend that you install and run only one anti-virus program at a time

• Symantec's statement
  
• Eset's Statement
  
• Avast's statement
  
• AVG's statement
  
• Dell Support statement

You can always supplement your anti-virus by performing an Online Virus Scan.

Hi quiet, & thanks again for responding

OK, I'll uninstall all but one anti-virus & run another scan. I'll download the newer Malwarebytes & post the results soon.

I've completed the tasks that you told me to do above. Below find the results

TDSSKiller: Found nothing

Norman Malware Cleaner:

Cleaner
Version 1.8.3
Copyright © 1990 - 2010, Norman ASA. Built 2011/01/29 02:14:33

Norman Scanner Engine Version: 6.06.12
Nvcbin.def Version: 6.06.00, Date: 2011/01/29 02:14:33, Variants: 9596601

Scan started: 2011/01/29 15:40:51

Running pre-scan cleanup routine:
Operating System: Microsoft Windows Vista 6.0.6002 Service Pack 2
Logged on user: Mike-PC\Handyman


Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 47ms


Scanning running processes and process memory...

Number of processes/threads found: 6471
Number of processes/threads scanned: 6471
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 8m 33s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\System Volume Information\{15b7bda1-2a72-11e0-af39-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{15b7bdd2-2a72-11e0-af39-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\Users\Handyman\AppData\Local\Mozilla\Firefox\Profiles\k3sxadd0.default\Cache\D03B247Ad01/file0 (Error whilst scanning file: I/O Error (0x00220005))


C:\Users\Mike\AppData\Local\Mozilla\Firefox\Profiles\imlx1mbg.default\Cache\D59E8942d01/file0 (Error whilst scanning file: I/O Error (0x00220005))

C:\Users\Mike\Desktop\New FolderZSM-1\PHOTOS-2New Folder\ferotKRsta.rar/ferotKRsta.wmv (Error whilst scanning file: I/O Error (0x00220005))

C:\Users\Mike\Desktop\New FolderZSM-1\PHOTOS-2New Folder\flvplayer_setup.exe/noname.nsis/file12/file0 (Error whilst scanning file: I/O Error (0x00220000))


Scanning: D:\*.*

D:\System Volume Information\{15b7bda0-2a72-11e0-af39-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{15b7bdd1-2a72-11e0-af39-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd83fee-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd84056-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd84090-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd840cd-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd8410e-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bd84176-1fe1-11e0-8a67-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{916dc248-25bb-11e0-972c-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{916dc251-25bb-11e0-972c-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{916dc25b-25bb-11e0-972c-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{916dc29a-25bb-11e0-972c-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedb3f-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedb61-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedb99-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedbb9-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedbef-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedc14-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedc37-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedcab-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedcf0-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedd11-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedd4d-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbedd75-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bcbeddb5-153c-11e0-8bff-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{ffceb960-1e30-11e0-82f7-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{ffceb9ce-1e30-11e0-82f7-00038a000015}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

Scanning: Q:\*.*

Scanning: postscan


Running post-scan cleanup routine:
Set TCP/IP autotuning to "normal" (or it was already "normal")

Number of files found: 714978
Number of archives unpacked: 7816
Number of files scanned: 714793
Number of files not scanned: 185
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0

So I guess I'm clean on those two scans

This post has been edited by 7Mozart7: 30 January 2011 - 02:18 PM

Quote

Ok.

So far I see nothing of concern.

OK, ran the newest version of Malwarebytes & the results are posted below.

It found three infections & I clicked on "remove" & it restarted the computer. Upon rebooting, it went through the normal motions, then when I signed on to the account, it went into the black screen (with just the white cursor visible) for about 4 minutes before finally going into my desktop

I haven't tried going into my original account yet, the one that wasn't working. But my TrendMicro still won't open on this account. Can the other anti-virus programs be stopping Trend from opening? Also, I have Microsoft Security Essentials on here too, is that OK?

Just a note, as I was typing this, the cursor froze up & was just a circle spinning for a minute or two, as my computer made noises. It seems to do that a lot

Anyway, here's the Malware log...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5640

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/30/2011 5:15:02 PM
mbam-log-2011-01-30 (17-15-02).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 361329
Time elapsed: 3 hour(s), 18 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Handyman\AppData\Roaming\jsdfgs.bat (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Handyman\AppData\Roaming\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.

Quote

No. MSE is an anti-virus program so using it alongside other anti-virus solutions can be problematic.

Quote

With all the different anti-virus programs you have used, its possible a conflict issue has arisen.

I would redownload TrenMicro's most current version (if that's the one you want to use) and do a reinstall after you have completely removed all other anti-virus programs. Do this while disconnected from the Internet. When done and its working properly, then reconnect and update.

I would also download and save an alternate anti-virus (i.e. avast, avira, etc) but do not install. That way if TrendMicro is still causing issues, remove it completely and just install one alternative.

When done, perform a full system scan and let me know how the computer is running.

Thanks quiet

Do you guys recommend one anti-virus over the others?

Anyway, I'll do as instructed & let you know

Choosing an anti-virus is a matter of personal preference, your needs, your needs, your technical ability and experience, features offered, user friendliness, ease of updating (and upgrading to new program release), ease of installation/removal, available technical support from the vendor and price. Other factors to consider include detection rates and methods, scanning engine effectiveness, how often virus definitions are updated, the amount of resources the program utilizes, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone and there is no best anti-virus. You may need to experiment and find the one most suitable for your needs. For more specific information to consider, please read Choosing Your Anti-virus Software.

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. Just because one anti-virus detected threats that another missed, does not mean its more effective. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense, safe computing and safe surfing habits provides the most complete protection.

• Important Tip: Always remember that security begins with personal responsibility.

My personal choice is NOD32 Anti-Virus if choosing a paid for program as it leaves a small foortprint or one of the following if choosing a free alternative.

• avast! Free Antivirus
  
• Microsoft Security Essentials
  
• Avira AntiVir Personal - Free Antivirus