Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help restoring registry backups after running ComboFix.


  • Please log in to reply
13 replies to this topic

#1 atriad

atriad

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 12:32 PM

In order not to lose all your files, I recommend taking the hard drive out and temporarily add it to another machine and copy the files you wish to retain. Make sure this second machine has up to date, legitimate antivirus protection. Please run a virus scan on these files to be sure you do not infect the secondary machine. I would also recommend you install an antispyware application on this secondary machine as well. I personally use spy sweeper. It is $-ware but you can get a 30-day trial from the manufacturers website. This will ensure you do not infect the other machine.

Once that is said and done you should break out the good ole' windows disc and get to rebuilding (provided a fix for the problems caused by combofix does not surface in the VERY near future. about 10 minutes for me!!! lol)

There is a half-ass written guide that explains a little about combofix here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The author mentions the need of having access to the recovery console, yet makes no mention of what to do with it when combofix kills your computer.

In the future I recommend against running combofix, as the results of running the application seem worse than the virii that infected the machine initially. Hopefully there are other ways of cleaning these virii/spy/mal-ware off the system.

Good Luck,

Paul

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:12 PM

Laska,

You have not lost your data. I will see if I can get someone to help you repair the problem you are having. Please be patient while I find someone to walk you through the steps.


Paul,

Welcome to the site. Though, I do not normally comment on posts like these, I felt it was necessary in order to educate certain people who make "half-assed" remarks.

The so-called "half-ass" guide was written by me and was made purposely vague. If you read the "half-assed" guide you will see that it specifically states the following:

Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer. Instead you should use this guide to download and run ComboFix and then post the resulting log in a forum that contains helpers who understand how to diagnose them. These helpers will then help you clean your computer of infections so that it is running properly again.


Please take note of the underlined text above. As you can see from reading the above text, the program is not meant to be run by anyone who is not being supervised by a trained helper. Anyone working with CF logs here at BC has been trained on its proper usage and how to recover a computer in the case, rare as it is, that a problem occurs after running CF.

Furthermore the guide states:

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.


Notice the bolded and underlined us in the above text. The recovery console is meant to allow us, the helper, to assist you in getting your computer get repaired in the event there is a problem after running combofix.

Now you may say, thats ridiculous because if there is a problem with a computer how are they supposed to contact you. Our thoughts are that many people have two computers in their household. They can easily ask us for help from the second computer. Other people, without two computer, for a very small price can go to a cybercafe or their local library and post their problem as well. Laska being able to let us know that they have a problem after running it is a case in point.

I want to also say, that the lack of information being provided is not being done for a sense of superiority. It is being done to protect you. ComboFix is a very powerful tool, and in the hands of someone who does not know how to use it properly, can cause problems on the computer. It should also be stated that a security tool is only as effective as the little amount of information of its internals that are disclosed. We wouldn't want the malware writers to learn the inner workings of one of the best removal tools available, would we?

#3 atriad

atriad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 01:27 PM

Good Afternoon,

Thanks for the reply, as I was just about to format my customers' computer. Well Im sure you can imagine the frustration of someone who had just killed a computer by utilizing a tool intended to fix problems as opposed to cause more.

I can understand the need of hiding information from end users, yet a guide should contain all necessary information for all what-ifs and what-nots. Perhaps a seperate guide for end users and one for advanced users? Especially when I am a seasoned professional who had killed a machine by running a simple tool. Can you point me in the right direction on what to do to get this system back to a running state? I would prefer not to be stuck at this law office till 6pm rebuilding this machine after the damage caused by combofix.

Thanks

Paul

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:31 PM

Did you install the recovery console as requested in the guide?

Are you having the blank screen problem as well?

#5 atriad

atriad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 01:33 PM

Recovery console is not installed, I have booted into the XP Setup using the XP Pro SP2 cd. Yes, I do not get a login box when booting into windows (in any mode, safe/last known/normal/etc..). I assume I can perform the proper functions while logged into recovery console off the windows cd? (of course, ya know when happens when ya assume....)

Edited by atriad, 24 March 2008 - 01:36 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:39 PM

I am going to split your topic off to another one as I do not want to hijack Laska's topic. In the meantime, get that computer into the recovery console by booting with the XP CD and then pressing the R key when at the setup menu to enter load the recovery console.

#7 atriad

atriad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 01:43 PM

I am in the recovery console on the machine.

Thanks for the help.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:45 PM

At the command prompt type the following (assuming you are in the C:\Windows folder currently):

cd ERDNT\hiv-backup

Press enter on the keyboard.

At the next prompt type:

batch erdnt.con

Press enter on the keyboard.

The backups will start to be restored.

When done, type exit and enter to reboot the computer.

Please reply back and let us know if the problem is resolved.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:48 PM

Left out the CD command above. I have edited the instructions. Please refollow the above steps in RC.

#10 atriad

atriad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 01:55 PM

Grinler,

Yea, I caught that seeing that ERDNT and Hiv-backup were both directories. Thanks very much for helping me with that command, though.


Now, after doing the registry restore, I am still infected with numerous buggies. The machine is pretty quick, yet explorer is still slow to startup and hangs for about 20 seconds after logging in. Is there anything else you recommend that I try?

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 24 March 2008 - 01:59 PM

I am glad we were able to get the computer up and running again.

As for the malware, well you are unfortunately back where you started. My only suggestion is to post a HijackThis log in our forum and hope someone can get to it soon. We have a HUGE backlog so that does not look promising, though.

#12 atriad

atriad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:boston, ma
  • Local time:03:22 AM

Posted 24 March 2008 - 02:03 PM

Thanks for the help and seeing me through this issue.

Paul

#13 ssearcherr

ssearcherr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 15 August 2008 - 06:25 PM

How do you explain this

Scan taken on 15 Aug 2008 22:31:33 (GMT)

of the file ComboFix.exe

at http://virusscan.jotti.org/


AntiVir
Found APPL/NirCmd.E.2.B, APPL/NirCmd.E.1.B, APPL/Rmadmin.131072, SPR/Tool.PV

Dr.Web
Found Program.PsExec.171

F-Prot Antivirus
Found W32/KillProc.C

Fortinet
Found HackerTool/KillProc (probable variant)

Mr. Bleeper ??????????????????????????????????????????????????

I guess....
ComboFix is a fraud!!!
Security advisers need people to have virus in their computer!
They choose to be dirty-malware or cleanware advisers!
They think they profit!
But they pay the price!
As do pay who sweep things under the carpet!
Cancer helps cleaning this type of advisers from the world!
For me anybody is honest until they swindle, proving the opposite!
But there are people who thinks that anybody is untruthful until proven innocent.
This type of people have to distrust because they are suspect!
Just fear who ought to!
Just distrust who's untruthful, who defraud, who cheat!!
And who uses the others to take advantage must pay the price!
Who treads over other's heads must pay the price!
Cancer helps cleaning this type of worms from the world!

Edited by ssearcherr, 15 August 2008 - 06:48 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:22 AM

Posted 15 August 2008 - 10:56 PM

How do you explain this

Combofix is not malware. However, certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Some common detections include process.exe, prcviewer.exe, pv.cfexe (pv.exe), nircmd.exe and catchme.exe.

NirCmd is a command-line utility that allows writing to and deletion of values and keys in the registry.
Process.exe is a program used to stop system processes.
Catchme is a rootkit scanner that detects all userland rootkits.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

BTW, please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users