Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


downloading Combofix, recv error "this is corrupted"

  • Please log in to reply
4 replies to this topic

#1 DarthVvv


  • Members
  • 6 posts
  • Local time:02:44 PM

Posted 18 February 2011 - 12:01 AM


I'm running win7 64, I use Chrome almost exclusively, and occasionally use IE and Firefox.

This all started when I started receiving a lot of spam on my normally clean yahoo email acct, and quite a few popups.

I used CCleaner to find an invalid registry key, labeled "smearware". This was after I had performed or experienced the following:

A trojan detection and clean by Microsoft Security Essentials, subsequent scans have no detection.

I uninstall MSE,

I install PC Tools Spyware Doctor and Antivirus, which scans, detects and cleans a different trojan, subsequent scans have no detection

I installed the Windows Updates from Tuesday Feb 8, and updated Chrome.

I run ComboFix successfully, I have logs, and will post when requested.

I run CCleaner successfully, logs will be posted when requested.

I run PC Tools Registry Mechanic (regularly every day) successfully.

I full scan in SDA (no detection).

(a few days of rampant web browsing, with occasional popups, CCleaner, RM, and SDA, with decent cleaning results but no detects from SDA)

I uninstall SDA, and the uninstall failed to execute, giving me a permissions error.

I disable wireless conection, and SDA uninstall still fails.

I disable SNMP, SDA uninstall is successful.

I used CCleaner to find an invalid registry key, labeled "smearware".

Successful run of Combofix, which cleaned about 300MB of data, per the log after reboot.

Now I try to run Combofix again, and I get an error during the initial progress bar (about 90% completion):

"You appear to have a corrupt download.
Please download a fresh copy of ComboFix.exe

You can close ComboFix by clicking the right corner of the progress bar."

I downloaded a new copy from bleepingcomputer, and I still get this error.

Any help would be very appreciated. I'll try and answer any questions, it may take a little time for me to find names of Trojans and what not thru the logs.


Edited by DarthVvv, 18 February 2011 - 12:19 AM.

BC AdBot (Login to Remove)


#2 DarthVvv

  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:44 PM

Posted 18 February 2011 - 03:52 AM

I found 2 files in c:\ComboFix\ with some strange permissions. I can't delete them, and I've tried modifying ownership using explorer, but windows stated it required administrator privileges.

Posted Image

I was able to run rkill and it killed several processes, like runonce. However, rkill did not remove itself from memory. Same for n.pif. I was able to successfully run ESET online scanner, and it did not detect anything. Every time I tried to download some new tool, like the manual updates for Spybot S&D, Internet Explorer 8 would sort of freeze. Once I turned off my wireless, the Save as dialogs reappeared. I re-enabled wireless and was able to download. However, it seems like my download request for Spybot was hijacked: when IE recovered, it wound up downloading a spybotsd.exe that is only 94KB. I was able to use Firefox to download Spybot. I tried installing AVG antivirus from CNet, and I receive a memory error

Posted Image

I have not installed anything, since receiving the ComboFix error above. I can submit the 94 KB spybotsd.exe somewhere if necessary. Let me know if I should rename it.

I did find that several extra IE8 processes were running, and my desktop had been hijacked, so I was unable to access my desktop icons. I was able to shut down most extraneous processes, which rkill also detected as expected.

I'm currently running sfc /scannow (at 63% at this time) and SAS portable is also in progress (which found some adware cookies).

I guess if I let the hijacker do his thing, my surfing and internet games seem relatively unimpaired.

Edited by DarthVvv, 18 February 2011 - 05:13 AM.

#3 DarthVvv

  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:44 PM

Posted 18 February 2011 - 04:19 AM

sfc /scannow did not find any issues. SAS only detected tracking cookies (98).

I guess my main question is how do I detect this dang extra trojan? Is there a recommendation for a free scanner I could boot from a USB drive?

Edited by DarthVvv, 18 February 2011 - 04:20 AM.

#4 badeye


  • Members
  • 1 posts
  • Local time:02:44 PM

Posted 18 February 2011 - 01:09 PM

Most of the time combofix.exe reports corruption, there is a hidden browser open (IE, Firefox, Chrome).
Run task manager and kill the browser process, combofix will then execute...

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,098 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 PM

Posted 18 February 2011 - 04:40 PM

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or if there is a problem with the computer caused by running the tool. This is because people should not be using ComboFix without being advised to do so by a trained expert (i.e. Malware Response Team) who is assisting a member deal a malware issue on that system. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

Further, using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If you already ran ComboFix on your own or need assistance with a malware infection, please read the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
  • When you have done that, post your logs (to include your ComboFix log) in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

Edited by quietman7, 18 February 2011 - 04:42 PM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users