Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix worked for me.


  • Please log in to reply
7 replies to this topic

#1 dan129

dan129

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 06 July 2009 - 06:31 PM

Hi all,

Short version of the story:
I use WinXP SP2. System Restore is off at the mo unfortunately. Caught the win32trojan.tdss malware from a webpage. Browser acts up (but other browser is fine). Tried other malware removers such as Adaware. Only partial luck with Malware Bytes' Anti Malware prog. Tried Combofix, it worked great - no trace of win32trojan.tdss from what I can see. Shall I post the log?

More story details:
The partial luck with the Malware Bytes' prog sorted out the browser problems (usually random redirects from a link *within the initial HTML page*), but a scan from adaware still revealed the dreaded win32trojan.tdss malware. Hence my continued search for something that did the job better.

Apparently, I'm not supposed to use ComboFix (which I love btw) until I have posted here. I didn't heed the warning as I didn't see it until afterwards. But I seem to have come out lucky in the end - my system now seems fine. It picked up all the scary UAC************ hidden files in system32 (and some twain_32 files/folders), and got rid of them properly. I'll probably donate a bit.

Shall I post the log?

I wonder if those hidden UAC files would have shown under the BART PE bootup...

Edited by dan129, 06 July 2009 - 06:38 PM.


BC AdBot (Login to Remove)

 


m

#2 master131

master131

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:02:29 AM

Posted 06 July 2009 - 07:17 PM

I think you should read the message at the top of this page. I don't think you should of used ComboFix without supervision. it's not safe to just go and use it on your own you know.

Edited by master131, 06 July 2009 - 07:17 PM.


#3 dan129

dan129
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 06 July 2009 - 07:34 PM

Yes I know about the message at the top, but assumed it applied only to those who are still having problems. As I said, my PC is now 'fixed'. And again, I didn't read about having to post to this forum until after I downloaded and tried out ComboFix. Two others had the exact same issue as me (even on a separate forum from this one), and that's why I went ahead. Also there was nothing in the ComboFix install about having to post on here first.

In any case, the whole thing is so automated (no branches along the way) that I'm a little confused about why one may need guidance, especially as others had such success. Also, I had tried 'less drastic' options first, so this really was a last resort. In addition to also, I was also prepared to do a full HD format, so unless ComboFix has a field day with the HD and deletes everything, I'm not going to be too unhappy in any scenario.

But this is all academic anyway - it works! Is it too early to rejoice? And shall I post that log?

*****EDIT: OH btw, ComboFix explicitly says to post the ComboFix log in case there are any 'traces' of the badware left over. Is this simply not the right forum for it?

Edited by dan129, 06 July 2009 - 07:47 PM.


#4 master131

master131

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:02:29 AM

Posted 06 July 2009 - 07:41 PM

I don't think you should post that log until a moderator gets a hold of your topic or when a moderator says to.

Edited by master131, 06 July 2009 - 07:41 PM.


#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:29 AM

Posted 06 July 2009 - 07:48 PM

No. Do not post ComboFix logs here. I am very happy that in your case ComboFix worked and did not cause problems. In the same breath, I can also say that I have seen more than a few times where ComboFix crashed a system. It is not a regular occurrence, but it does happen. Those words in blue where placed for a reason, please honor the wishes of the tool's creator and the staff of this forum by following those rules.

Thanks :thumbsup:

Edit:

I just saw your edit ... If you wish to post a log, and then have your combofix log reviewed, please follow these instructions...

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

Edited by rigel, 06 July 2009 - 07:49 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 dan129

dan129
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 06 July 2009 - 09:25 PM

Okay thank you. I'll probably get round to installing HJT then (in your experience, do you think there may be traces of the win32trojan.tdss infection still?).

That's somewhat semi-scary about the ComboFix occasionally crashing the system. Speaking hypothetically, had that situation arised, would it have left all the 100k or so 'work' files (non-Windows stuff, i.e. my own graphics/music files) intact if one were to treat the 'broken' HD as a slave on another PC?

Edited by dan129, 06 July 2009 - 09:28 PM.


#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:29 AM

Posted 07 July 2009 - 06:17 AM

To be honest, I'm not sure if you will still see the TDSS infection, or traces of it. TDSS has "grown" so much lately, that different versions are seen a lot here. With each new variation, tools have to be tweaked. So I guess it is possible that you may still have trace files left.

I am going to ask a HJT tech to answer part II.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 07 July 2009 - 07:16 AM

Combofix is a very powerful tool and can remove many types of infections. As infections constantly mutate, yes combofix could have removed enough of the tdss so its not fully active, but there is no guarantee that it removed everything. When a trained helper uses CF they can read the logs and determine what else is left to remove and then use CF in a special way to do so.

As for the crashing, there are a lot of nuances to the program and a trained helper will know to use it for certain things, but stay away for other things. If unused improperly the program could make your computer inoperable, but it will never touch your data unless you specifically tell it to.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users