Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix


  • Please log in to reply
11 replies to this topic

#1 dumitru

dumitru

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 12 March 2010 - 08:08 PM

Hello,
I have Windows XP and Firefox 3.6.
My browser wouldn't open, and a window came up that said I had a virus. So I ran a full Kaspersky scan on safe mode. The scan kept slowing down, so I called Kaspersky and they recommended running the scan in regular mode and then running ComboFix. I finished the scan in regular mode, then I followed the directions on the ComboFix page and downloaded ComboFix. The directions said that after I click on Save, it would ask me where to, and I could save it to my desktop. That didn't happen. It just started downloading it to a small download window. So I stopped it and tried it again and the same thing happened, so I let it download. When that was done, I clicked to open the program, clicked on Run in the Security Warning window, and then a black window that looked like the ComboFix is Preparing to Run window flashed on and off the screen so fast, I couldn't read what it said, and I thought nothing had happened, so I waited a minute and then went back to the download window and opened the program again and the same thing happened. So I thought that maybe even thought the ComboFix is Preparing to Run window disappeared again, maybe it's still preparing. So I closed the download window and waited ten minutes. Still nothing happened, so I restarted my Kaspersky antivirus to get back online and post this question.
Please let me know what I need to do to get the ComboFix to run.
Thanks


{Moved from XP to more appropriate forum~~boopme}

Edited by boopme, 12 March 2010 - 10:45 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 15 March 2010 - 12:23 PM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With that said, where did you download ComboFix from?

If you cannot download to the infected machine, try downloading from another computer (family member, friend, library, etc) with an Internet connection. Save the file to a flash (usb, pen, thumb, jump) drive or CD, and transfer it to the desktop of the infected machine.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dumitru

dumitru
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 15 March 2010 - 01:37 PM

To: quietman7,

Thanks for your reply. As I mentioned in my post, I was advised by someone at Kaspersky to run ComboFix. I am unclear as to whether or not he fits the criteria for a Malware Removal Expert that is supervising me in using ComboFix. Here is a copy of the e-mail he sent to me:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"ComboFix is a handy free program designed to deal with a number of different infections. Since it's not a full security suite, many malware writers do not test against it. You can get a copy of it from here:
http://www.bleepingcomputer.com/combofix/h...-combofix#intro
When you save the file, give it a random name like 999.exe.
Then right-click on the Kaspersky K and choose Exit.
Double-click the ComboFix file to run it.
Could you send me the Log file that ComboFix creates per the instructions above please?
As this is not a Kaspersky program I cannot support it, nor is this an official recommendation, just a personal one.
Regards, Donald Spear | Technical Support Engineer | Kaspersky Lab"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So, quietman7, can you tell me if I should proceed with trying to use ComboFix with Mr. Spear's supervision, or do you think he has just set me loose on something I should best leave alone? What do you recommend my next steps be?

Thanks for your help,
dumitru

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 15 March 2010 - 01:50 PM

As this is not a Kaspersky program I cannot support it, nor is this an official recommendation, just a personal one.

They are not going to guide you through the process nor offer support if something goes wrong...its a personal recommendation. If you choose to use CF that way, you do so at your own risk.

What specific issues are you having with malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dumitru

dumitru
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 18 March 2010 - 04:32 PM

Thanks. I don't want to risk anything. I'm just trying to follow the suggestions and instructions I'm getting. I don't know if I need ComboFix, nor do I know who exactly is supposed to help me with it.

As for the problem that brought it up in the first place, my computer was getting slower and slower. I ran the Kapsersky full scan in safemode, and that didn't help. I downloaded something called Advanced Systems Care to fix registry errors. For the next couple of days my browser kept crashing, and eventually I was unable to open the browser at all. Then a window from Kaspersky came up that said that something was acting like a virus. I clicked on the report link and it wasn't clear to me from reading that if the the registry fix I had downloaded was acting like a virus or if there was a virus, what had happened or if the program had taken care of it or what. So I ran Kaspersky again in safemode, and that also slowed down to a crawl. So I called Kaspersky and he recommended that I run Kaspersky in regular Mode and also run the ComboFix. After I finished the Kaspersky scan, I downloaded the ComboFix and tried to install it, which it wouldn't do. Since then my computer has been back to a normal speed, so it may be that the original problem was taken care of by that last Kaspersky scan.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 18 March 2010 - 05:40 PM

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I downloaded something called Advanced Systems Care to fix registry errors.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

:inlove: Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

:flowers: Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

:thumbsup: Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

:trumpet: Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

:huh: The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dumitru

dumitru
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 March 2010 - 10:59 PM

Thanks for the info about Malwarebytes Anti-Malware. I followed all of your directions. Here is the log entry:

Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/19/2010 8:09:40 PM
mbam-log-2010-03-19 (20-09-40).txt

Scan type: Quick Scan
Objects scanned: 112492
Time elapsed: 14 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\RealTime Gaming Software\Gold VIP Club Casino (Adware.Casino) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Desktop\SmartDownload.exe (Adware.Casino) -> Quarantined and deleted successfully.

Thank you - dumitru

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 20 March 2010 - 06:11 AM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please perform a scan with SUPERAntiSpyware Online Safe Scan.
  • Be sure to follow the instructions provided on that same page.
  • When the scan is complete, please post the results in your next reply.
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to begin.
  • If offered the option to get information or buy software. Just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 dumitru

dumitru
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 27 March 2010 - 08:18 PM

OK, I downloaded and ran TFC. After that a Kaspersky window came up saying that something was acting like a worm, the window disappeared before I could write down what it said. So I ran the Kaspersky antivirus again and it came up with nothing. So then I downloaded and ran SUPERAntiSpyware Online Safe Scan. It found 7 tracking cookies and one trojan. A window came up that said to restart my computer, so I clicked on that. After that I couldn't find a record of what the scan had found, so I can't be more specific than that.

Then I saw their free offer to see what's running on my computer. This has long been a question of mine because it has often seemed that my computer was very busy even when I wasn't doing anything on it, and sometimes too busy to respond to what I wanted to do. Unfortunately, when I tried to download that I got a message saying Firefox could not install the file because install script not found -204. I don't know what that means, but I would like to find out a way to get that done.

Then I performed a scan with Eset Online Antiivirus Scanner

It took a couple of tries, and my computer didn't find the log by pasting the address you gave, so I tracked it down in my Windows Explorer:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e980f0c91055ee43aa2457d63d457227
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-27 02:35:03
# local_time=2010-03-26 07:35:03 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777175 100 0 1045655 1045655 0 0
# compatibility_mode=2817 16777215 0 80 69294149 80959669 0 0
# compatibility_mode=3329 16777214 0 2 94617873 94617873 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=50263
# found=1
# cleaned=1
# scan_time=17160
C:\Documents and Settings\Owner\Desktop\SetupCasino.exe a variant of Win32/PTCasino application (cleaned by deleting - quarantined) 00000000000000000000000000000000

Thank you!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 28 March 2010 - 06:52 AM

How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 dumitru

dumitru
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 31 March 2010 - 09:16 PM

On the one hand, it occasionally slows down like something else is taking all it's attention, and sometimes things don't work, like commands aren't obeyed, or e-mails are lost.

On the other hand, most of the time it works fine, and that was what was normal before.

The problem that started this whole thing was that everything got extremely slow and I couldn't even open Firefox at all.

So now it's back to normal, but, of course, it would be nice to have it work even better if you have any more suggestions.

Thanks.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 PM

Posted 01 April 2010 - 06:22 AM

You may have too many applications loading at startup when Windows boots. Almost all applications you install want to startup when Windows loads. If you allow all these startups, they will compete for and use system resources resulting in poor performance and a slow system. Many of these programs are not needed and disabling them can save resources and improve performance as they from Start > Programs or an icon on the desktop. Other reasons for slowness include disk fragmentation, disk errors, corrupt system files, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential. For more information about trimming down the number of startup applications and other ways to improve performance, please refer to Slow Computer/Browser? Check here first; it may not be malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users