Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Find Combofix.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 RMCCPA

RMCCPA

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 28 November 2007 - 10:49 PM

I was given the following advice on the aumha.net forum:


Posted: Wed 11/28/07 05:01 pm Post subject:

--------------------------------------------------------------------------------

You have a couple of nasty things running on this computer. The major infection is a little tough, but doable, to remove. I need to identify the rootkit that is protecting the principle DLLs involved. That will require at least one pass with a scanning utility to find it. You also have an S-Bot infection, and likely some Vundo forms. We are not going to be able to get all of this in one sitting.

If you cannot use Normal, rather than Safe Mode, we are going to be limited in what we can accomplish. Please use Normal mode unless requested otherwise. The S-Bot check we will do in Safe Mode, but the rest in Normal mode. Begin in Normal mode.

If you are attempting to have both McAfee and Norton Antivirus installed, one of these has to be uninstalled. You are less protected from trying to have two antivirus applications active. Please use Add or Remove Programs and remove one of your installed antivirus software programs.

First Steps

The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner HERE by Atribune. It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
Double-click ATF-Cleaner.exe to run the program.
For all browsers:

Under Main choose: Select All

Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)

Click Firefox at the top and choose: Select All

Click the Empty Selected button.
Next, if you use the Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.

Double-click on the My Computer icon.

Select the Tools menu and click Folder Options.

After the new window appears select the View tab.

Put a checkmark in the checkbox labeled Display the contents of system folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Press the Apply button and then the OK button and exit My Computer.

Now your computer is configured to show all hidden files.
Malware Removal Steps

1. With all other applications closed (Taskbar empty), open HijackThis again, System Scan only. Checkmark these items (if found):

O2 - BHO: (no name) - {CD3D098D-34E5-4819-9429-FA5EFB14D76A} - C:\WINNT\system32\cfgbken.dll
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download this file from: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
Code:

KILLALL:

File::
C:\WINNT\avp.exe
C:\WINNT\system32\spoolvs.exe
C:\WINNT\system32\cfgbken.dll




Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.


The link shown to get ComboFix gets a redirect to a worthless site.

Thanks,

RMCCPA

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:55 PM

Posted 29 November 2007 - 12:07 AM

When I clicked the link for ComboFix, I was asked if I wanted to run or save the program.
You will not be taken to a website, instead the download box will open.
(I was asked to run ComboFix yesterday, I was given a Bleeping Computer link for it, and was able to save it to my desktop)
If you are getting something other that than the download box, please let us know.

#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:55 PM

Posted 29 November 2007 - 12:09 AM

You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. Which you have. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

With this in mind I would suggest that you post back to your thread at aumha.net forum, that the link provided to you was not working. The malware tech at aumha.net forum may not know that there has possibly been a change to Combofix.

Since you are getting help from another forum, and to preclude you possibly being misdirected yet again I am closing this thread.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users