Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Making sure I'm not infected (+Qoobox question)


  • Please log in to reply
6 replies to this topic

#1 scrained

scrained

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 June 2011 - 11:47 AM

Hello, since a few days my computer (OS is Vista) started lagging pretty badly so today I decided to make sure nothing is infected. I used my standard scanner (Superantispyware) which found nothing, but I have no idea if it's still as good of a program as it used to be (well, I heard several sources saying it was very good when I started using it)...

I decided to turn Windows Defender on so I could check if there were too many start up programs, and saw there was still a trace of a virus I thought I had deleted, namely an unsigned csrss.exe. I kinda knew about this since it warns me every time I boot my computer that the registry needs to be updated but I never get around to it. What worried me though is that in the same group (Publisher not available) an unsigned Conhost.exe is running. Shouldn't this be signed by Windows? Is it also a remainder of a virus? I also can't seem to find a conhost.exe in the processes folder

So since I had just turned Windows Defender on anyway and my computer was still laggish, I thought 'might as well let it scan', and it found 2 infected files in the Qoobox quarantine folder. Quick Google thaught me this was the quarantine folder for Combofix, but I kinda feel uncomfortable leaving them there, last time I used combofix was a long time ago. Is it safe letting them sit there or should I clean it up somehow or uninstal combofix and reinstal? I know it's a program for experts (and read the topics about it on this site) but the few times I was hit with a serious Rootkit Combofix fixed it for me without requiring much input so I feel save having it on my desktop.

Finally, I know you guys get this question 100 times a day and will shoot me for it, but even if I resolve my 2 issues I still don't feel 100% safe, what scanner should I use to do another scan so I can assume I'm safe (never 100% sure, I know :P)?

BC AdBot (Login to Remove)

 


#2 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 15 June 2011 - 11:51 AM

Some info about conhost http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/

Please follow these setps

Lets try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.

  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.


Edited by invision, 15 June 2011 - 11:52 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 June 2011 - 12:33 PM

To uninstall ComboFix, press the WINKEY + R keys on your keyboard or click Posted Image > Run... and in the Open dialog box, type: ComboFix /Uninstall
  • Press OK.
    -- Vista/Windows 7 users refer to these instructions: How to Enable Run Command in Windows 7 or Vista
  • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
  • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.

Please download OTC by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTC.exe to start the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
  • When it has finished, OTC will ask you to reboot so it can remove itself.
-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
-- Any leftover folders/files related to ComboFix which were not remove can be deleted manually (right-click on them and choose delete).


Afterwards, please do NOT run ComboFix again unless asked to do so by a member of the Malware Removal Team. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

Edited by quietman7, 15 June 2011 - 12:36 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 scrained

scrained
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 June 2011 - 03:33 PM

I appreciate the quick replies, however, I do not want to delete Combofix if I don't have to. I know it's a risk to use it without being a pro and I don't use it unless I have no different option (and if something goes wrong I will only blame myself). My question is is the quarantine folder save to keep or should I take steps to remove it? Are there other reasons why I should uninstal Combofix? is it a risk just having it installed?

I was already running a MBAM scan at the time of the first reply, hope that's ok too, the log is below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6863

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

15/06/2011 22:23:13
mbam-log-2011-06-15 (22-23-13).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 454488
Time elapsed: 2 hour(s), 59 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\xxxxxx (RiskWare.Tool.CK) -> Not selected for removal.
c:\xxxxxx (RiskWare.Tool.CK) -> Not selected for removal.
c:\xxxx (RiskWare.Tool.CK) -> Not selected for removal.)
(comment by myself: these were files associated with a very expensive program I wanted to test cheaply, hum, no danger in riskware tools right?)
c:\Qoobox\quarantine\C\Users\fer\AppData\Local\kbdinled.dll.vir (Trojan.Hiloti) -> Not selected for removal.
c:\Qoobox\quarantine\C\Users\fer\AppData\Local\yphponqpj\iqcfwostssd.exe.vir (Trojan.Downloader) -> Not selected for removal.
(comment by muself: I do not know wether it's safe to delete these in this manner)
c:\endslate_sm.swf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by scrained, 15 June 2011 - 03:36 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 June 2011 - 05:23 PM

My question is is the quarantine folder save to keep or should I take steps to remove it? Are there other reasons why I should uninstal Combofix? is it a risk just having it installed?

The quarantine folder is part of ComboFix. The tool is updated frequently to deal with new malware variants and to correct possible safety issues when using it. Outdated versions should never be used or you risk damaging your computer. Once ComboFix is used to rid a machine of malware, there is no reason to keep it. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses.

(comment by myself: these were files associated with a very expensive program I wanted to test cheaply, hum, no danger in riskware tools right?)

A Risk Tool detection is a very broad threat category. When flagged by an anti-virus or security scanner, it's because the program has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Since these detections do not necessarily mean the file is malware or a bad program, in some cases the detection may be a "false positive". If you installed or recognize the program, then you can ignore the detection.

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 scrained

scrained
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 June 2011 - 05:52 PM

Thank you for the detailed response. I uninstaled Combofix and everything seems to be running fine. (though computer is still running slowly, but I'm beginning to expect it just needs some hard disc maintenance)

I will run OTC and the online scan tomorrow and report back.

Edited by scrained, 15 June 2011 - 05:54 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 June 2011 - 08:00 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users