Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker virus - I think Combofix got it???


  • Please log in to reply
11 replies to this topic

#1 bdevlin

bdevlin

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 24 February 2010 - 02:10 PM

I had a virus that redirected my browser and it also seemed to generally bog things down. I ran several Spyware adn AV programs to no avail. Finally I came across Combofix and chose to try it. So far, 2 days later, everything still seems fine. Combofix deleted quite a few items in c:\windows\system32\cache329 as well as disinfected a driver (c:\windows\system32\DRIVERS\atapi.sys). Since then I have run a reg. cleaner and optimized my startup services.

I'm wondering if someone could give my Combofix log the once over just to be on the safe side??

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 24 February 2010 - 02:23 PM

As no logs have been posted, I am shifting this topic from the specialized Malware Removal forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 bdevlin

bdevlin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 24 February 2010 - 02:35 PM

First off the way I came about finding Combofix was through a forum post. As a result I did not see all of the instructions about what was recommended before running Combofix.

Currently I am not experienceing any issues but before running combofix my browser would be redirected to other sites when I clicked on a link in my yahoo search results. I also was experiencing a slow computer in general. At some point my proxy settings in the LAN setting in Internet Options was changed. I'm not clear if that was from a hijack or a spyware, AV, program I downloaded.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 24 February 2010 - 02:41 PM

Well, lets try to determine from here if you are indeed clean. :thumbsup:

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 bdevlin

bdevlin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 24 February 2010 - 02:53 PM

Fantastic. I actually already have MALWAREBYTES ANTIMALWARE installed. I will execute when I get home (about 4 hrs from now).

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 24 February 2010 - 03:26 PM

Okay, I'll wait for the log :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 bdevlin

bdevlin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 24 February 2010 - 09:40 PM

The log showed no infections. However the log that I ran a few days ago, prior to running Combofix, showed:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.


These are now in quarintine.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 25 February 2010 - 02:27 AM

Quarantined items do not have the possibility to harm your computer anymore. They are kept only in case something legit was removed and needs to be restored.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 bdevlin

bdevlin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 25 February 2010 - 10:30 AM

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.UI trojan deleted - quarantined

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 25 February 2010 - 10:53 AM

Okay, looks good, that was an quarantined file.

Any problems left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 bdevlin

bdevlin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 25 February 2010 - 11:19 AM

Not showing any signs or sluggishness but I do have a left over issue from ComboFix whereby my computer boots and asks if I want to use Windows XP or Windows Recovery Console.

Beyond that I am interested in donating to the sites that helped me. How do I go about that? Is there a PayPal link? Primarily this site and the Combofix program got me going again.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:39 AM

Posted 25 February 2010 - 12:33 PM

The recovery console is installed when Combofix is run. It is a command line interface that can be accessed/used in case an XP installation is damaged and can no longer boot succesfully. Its used as a safe guard by Combofix in case anything goes wrong. Trained helpers know how to use the Recovery Console to undo the possible damage the program did. This is one of the reasons Combofix is not recommended to be used without guidance. Its a pretty powerful tool that can do quite some damage.

For more information about Combofix (including a donation link), see here

BleepingComputer no longer accepts donations, at this point the site is self-sustaining, however we thank you for the kind initiative!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users