Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Directed to Bleeping Computer/Combofix/Log file


  • Please log in to reply
19 replies to this topic

#1 Diligenterprise

Diligenterprise

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 23 November 2009 - 05:12 PM

Hello, For more than three days I have been trying to rid a virus named Antivirus Pro 2010 by Googling this word and downloading to CD at least 10 antivirus programs before somehow I ended up downloading Combofix. In the instructions it indicated to copy the Log file and go no further. First, I have to start in Safe Mode because that AVP2010 won't even allow me to go online, so I saved Combofix to a CD on another computer and then scanned my infected computer with that CD. The safe mode would not let me disable or remove Norton so I had to scan with Norton in place. Everything else indicated in the instructions up to and including the logfile on notepad worked. I had to save the logfile on a USB sandisk. Now back at bleeping compute in the forums it indicated not to send a Combofix Log File unless . . . I honestly don't recall the steps I took to get there. Is there someone who can accept/diagnose/assist me with trying to rid my computer of this virus? eternally grateful, e-mail removed to protect from spambots. ~ OB

Edited by Orange Blossom, 23 November 2009 - 06:33 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:01 AM

Posted 23 November 2009 - 06:35 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Do you recall what programs you ran besides ComboFix? Also, please tell us what your operating system is.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 24 November 2009 - 02:22 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Do you recall what programs you ran besides ComboFix? Also, please tell us what your operating system is.

Orange Blossom :thumbsup:

Thank you OrangeBlossom for your response. So far I remember using Malwarebytes which was already on the computer, Norton (maybe 2005 or 2006) which was a free trial version that came up when I had to do a recovery, Spydoctor, Stopzilla, Kaspersky, Panda (maybe 2009 when a suggestion sent me to a [registry?] showing me everything that was installed on the machine) and then I started labeling CD's 1st attempt, 2nd, 3rd . . out of frustration. I would Google and go down the suggestions.

The computers we have here are all used and/or recycled and the one with the virus is XP home edition SP2. This computer I'm using now is XP Professional and I believe the burned CD that the previous owner supplied said something like student edition. He had a COA in magic marker and told me that there are literally thousands of OS with the same number being the edition it was. It seemed to work and still working so I didn't investigate any further.

I know I have a lot to learn but at 60+ it takes a while to understand all this tech stuff; once again thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 25 November 2009 - 03:43 PM

Hello Diligenterprise and :thumbsup: to BleepingComputer!

First of all a warning. Its not a good idea to run Combofix on your own. You can do quite some damage that way.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


In order to know where to start, please tell me what problems you are still having at the moment. Don't worry, we will get this sorted out :flowers:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 26 November 2009 - 09:06 AM

Thank you Elsie for your response and the Combofix warning. As I tried to solve this problem, I took all the advisements and warnings seriously and did the minimal things such as don't start changing things in the registry unless one knows what their doing, etc. The same with Combofix; I heeded the warning: "just go as far as the logfile . . ." The only thing I did was save it to a Sandisk as I couldn't save it anywhere else.

Sometime last week someone in the family got a nasty virus called Antivirus Pro. I don't know where the 2010 came from but it appears in virtually all of the Google searches. We had these problems before, hence Malwarebytes is/was installed on the infected computer, and MWRBytes seemed to solve the problem.

Basically the computer onlycan be started in safe mode; if started normally, right after all the icons appear the APV2010 takes over and anytime I click the mouse or hit enter an error advises, to paraphrase: "Cannot complete task as abc.exe is infected. Do you want AVP2010 to . . . .?" No matter what you click it starts a series of popups until some disgusting porn fills up the entire screen. 5 children are here the youngest 4, so the computer is shut off.
Using Windows XP home Edition SP2. My second post lists all the Malware/Spyware downloads I tried. Had to download to a CD on another computer and use the CD in Safe Mode. Only Kaspersky wouldn't load in the infected machine using this method.

Any help is greatly suggested.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 26 November 2009 - 09:30 AM

Hello again :thumbsup:

The same with Combofix; I heeded the warning: "just go as far as the logfile . . ." The only thing I did was save it to a Sandisk as I couldn't save it anywhere else.

Where did you find that warning? Going as far as the logfile already does a lot of things and is completely able to cause serious damage to your computer. It does not just create a logfile, but also a lot of other things and can cause serious damage.
When you run it on your own, you are not assured of any support from qualified helpers or Combofix's developpers when something goes wrong.

Does Malwarebytes Antimalware still run? If so, you should download the latest definitions to a flashdrive or a CD.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

You can also try to boot in safe mode with Networking, which should allow your internet connection.

Run MBAM in safe mode, update it first as explained above, and run a full scan.

Let me know how that went.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 November 2009 - 07:10 PM

Thanks for the help and suggestions. We're just a family struggling to keep up with the computer for our everyday needs. I'll be the first to admit no one in our family had any classes in computers and we're far behind. Things like the Safe Mode Network had me thinking that was for an office full of computers. Things like we don't even know how to secure the wireless connection or setting the computer up for Outlook Express owing to the terms POP, STMP server, addresses etc. So we just cut and paste and use juno or google mail. We're not proud but just stating the way it is for us.

I managed to find the MLWRB latest definitions saved it to a CD from another computer, then ran it in the infected computer that was started in Safe Mode Networks. Did a full scan and the results was 6 results:

(1-4) Trojan Dropper> File>C:\Documents and the next 3: C:\Volume info; then
(5) Trojan Fake Alert in Registry Value HKEY Local Machine
(6) Disabled Security in Registry Data HKEY Local Machine

And in all the results I took no action awaiting instructions. They are all checked with a bold tab that suggests: Remove Selected; Ignore, Save Logfile or Main Menu

We await the next instruction/suggestion/help, Thanks

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 28 November 2009 - 04:05 AM

Remove all found infections.

Its no problem if you don't understand something :thumbsup:

Just ask me, thats what we are here for!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 28 November 2009 - 01:38 PM

As Always Thank you. I removed the items and was requested to turn machine off so I restarted in safe mode network. I was asked Administrator or HP owner so I chose Administrator and Internet Explorer and I got online through AOL which we never used before. So I went to our previous homepage igoogle and signed in and went online. I then went to shut down and let it restart normally. We were excited when the AVPRO2010 did not appear right after the wireless card was detected. That is when AVPRO would appear.

After all the icons appeared, I clicked Internet Explorer and got the "cannot find server," and tried the following suggestions from refresh to SSL, TLS, etc. If I go to Start>Log off>Switch User I only get the HP Owner and not the Administrator choice.

In safe mode network I get the choice of Administrator or HP Owner.

Any suggestions of what to do from here? Thanks.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 28 November 2009 - 01:52 PM

Hello, its good to hear the AV PRO is gone :thumbsup:

As for the internet problem:

So far...
You are NOT able to use the internet in Normal Mode
You are able to use the internet in Safe Mode with Networking, logged in as administrator.

Please let me know if you are able to use the internet in Safe Mode with Networking, logged in as HP Owner.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 28 November 2009 - 08:34 PM

No, I get the same "cannot find server" message when trying to select HP Owner as a choice between Administrator/HP owner. Thanks.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 29 November 2009 - 04:48 AM

Okay, please try the following first. You can do all steps in safe mode with networking, logged in as administrator.

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 29 November 2009 - 01:34 PM

Thank you, thank you for the helpful line-by-line instructions. I finally got SuperAntiSpy on the HP Owner Desktop by using a Sandisk and then starting Windows normally. In the Updates I got an error that (paraphrasing) "can't run update; perhaps windows firewall is blocking access" I went to Control Panel>Windows Firewall and all the information was unknown to me what to do next. Please advise, thanks

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:01 PM

Posted 29 November 2009 - 01:50 PM

Do the following in Normal mode:

Click start > run, and in the runbox type wscui.cpl and press enter.

Scroll down untill you see Manage security settings for... and click on Windows Firewall

Now make sure On is checked and Dont't allow exceptions is unchecked. Click Okay to exit the windows and close the security center.

Now try again and see if it works. If not, return to safe mode with networking (where you have internet connection) and click here. Scroll down to where it says download the latest definitions and click the link there for manual definitions download.
After the download finishes, doubleclick the file to install the latest updates. After that restart Super Antispyware and scan as instructed in my previous post.

Edited by elise025, 29 November 2009 - 01:54 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Diligenterprise

Diligenterprise
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 29 November 2009 - 06:22 PM

Thank you for all this help, we are eternally grateful especially through this holiday weekend. Got everything that you instructed and here is the logfile:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/29/2009 at 06:02 PM

Application Version : 4.31.1000

Core Rules Database Version : 4318
Trace Rules Database Version: 2177

Scan type : Quick Scan
Total Scan Time : 00:28:42

Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 414
Registry threats detected : 0
File items scanned : 44760
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@at.atwola[1].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator.FARUQ\Cookies\administrator@1058501446[1].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users