Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix wont run on xp


  • Please log in to reply
4 replies to this topic

#1 telefony

telefony

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 23 November 2010 - 10:10 AM

I have a laptop running xp sp3 that was getting many pop ups, several of which were similar to the fake antivirus program popups. I sent the end user to a download link for MBAM and told him to run a scan. When he did so it hijacked the link and he ended up downloading something else that i have never heard of and installing it. So i ended up removing that program from add/remove programs, then pushed a copy of MBAM to his laptop via his C$. After installing and running a full scan it came up clean. After running the full scan i pushed a copy of ComboFix and remoted into his machine to run it. After launching combofix it immediately pop's up and tells me that it is incompatible with his operating system, and that it will only run on 2000/xp but his machine is a windows xp computer. Can some one please give me a hand?

Edit: Moved topic from Windows NT/2000/2003/2008 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 23 November 2010 - 01:54 PM

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or there is a problem with the computer caused by running it. This is because people should not be using ComboFix without being advised to do so by a trained expert who is assisting a member deal a malware issue on that system. Further, more information is needed by using tools like DDS, OTL, RSIT which create comprehensive logs with specific details about a computer's system, files, folders and registry keys which may have been modified by malware infection BEFORE deciding if ComboFix should be used.

If you need assistance with a malware infection, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 telefony

telefony
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 24 November 2010 - 12:02 PM

This isn't my first rodeo with combofix and have used it countless times against many infected machines that no other free tools could clean. I have successfully built my own cfscript.txt files on several occasions when combofix was having issues removing particular infections. I am not a general public user, I have been in the IT business over 5 years and am a senior network/systems administrator for a privately held company with 1000+ employees. It is simply impossible to be creating posts for every machine that comes to us with an infection, but i have successfully created a post and received assistance with one other machine that neither I nor my staff could fix on this site.

If someone could at a minimum tell me what the reasons for CF detecting a windows xp machine as a different OS and refuse to run that would help me fix the problem.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:01 PM

Posted 26 November 2010 - 10:47 AM

Here is a recommendation from someone who has 11 years in IT, if your company has issues with infections then you need to tighten/harden your network and computers. You should be using Domain Controllers with delegated authority to people you trust, and you should have a basic or baseline image that you use to reimage the machines instead of dealing with infections. You should also learn how to isolate computers that are infected from infecting other computers. You should also be training your employees in the proper use of AIS (Automated Information Systems), and teach them basic computer security. You need to maintain network security at all costs. Your information is private and should remain as such.

Here is what you should be using to protect your network:

Inbound and Outbound Firewalls with strict ACL's of allowed and denied websites such as facebook, myspace and other social networking sites. You could also deny access to external email accounts such as yahoo, hotmail, gmail, and others.

You should be using some sort of IDS/HIPS Systems that alert you of possible malicious activity.

If you use Exchange then you should deny and black all attachments and encourage the use of dropbox for your enterprise.

You should also encourage Plain Text Emails without any HTML or anything fancy.

Just a few recommendations that could help you protect your network and your information.

#5 telefony

telefony
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 29 November 2010 - 10:20 AM

Many of the restrictions you mention are already in place, however that being said we dont have much control (for intercompany political reasons) to remove admin rights from most machines. You can train people all day but no matter what policies and hardware you have in place a human being will be the weakest link in the chain. We have strict firewall policies while within the corporate network, as well as a barracuda web filter and a packeteer/bluecoat shaper before anything touches the corporate network. My biggest problems come from road warriors that just so happen to be in the worst possible places imaginable. (Iran, Iraq, Venezuela, Pakistan, etc.) We do not have any of our own infrastructure in several of these locations therefore policy enforcement is impossible, and believe me when your internet connection is comparable to 56k while in these locations it is not uncommon for someone to load a thumb drive and hand it over. To prevent infections this way many of these users have been issued several "Throw away" thumb drives, once they are connected to a non company laptop they are no longer used.

As for blocking attachments completely, that would not be acceptable. We do have the barracuda spam/virus firewall, (really a filter, but w/e barracuda networks wants to call it) that catches 99.99% of the emailed virus's we see come our way.

We do use SCCM and SCOM for systems management, monitoring, software deployment, etc. At this point it does look like we will be imaging his computer, i was hoping not to go that route.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users