Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help after Combofix


  • This topic is locked This topic is locked
9 replies to this topic

#1 XtanyaX

XtanyaX

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 16 June 2011 - 04:24 PM

Hi,
I don't know where to post this - I apologize for the length and the lack of clarity...
Red is for the relevant points:

QUESTION
How to reverse the effects of Combofix, whether the computer is infected (doubt it) and how to ensure the 2 flash drives are completely clean
I don't think the computer is infected to begin with but posted in a windows forum and was advised to run a number of programs (please see below).
I had not seen this:
"A guide and tutorial on using ComboFix"
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This is entirely my fault: I should never use anything I am not 100% sure of



SYSTEM DETAILS
SYSTEM = Dell Dimension E520
CPU = Intel ® Core ™2 CPU; 2.13 GHz; Bus speed: 1066 MHZ; L2 cache 2 MB; dual; 64 bit
MOTHERBOARD = Motherboard: Dell Inc. 0WG864?
RAM = 2.0 GB; DIMM 1 (1 GB) and 2 (1 GB) nonECC; unbuffered; x8; 667 MHz; DDR2 SDRAM Dual interleaved
HARD DRIVE = Seagate – SATA RAID; 500 GB;
OS = Windows XP (Home) SP3 (up to date)
POWER SUPPLY = 305 W
VIDEO CARD = NVIDIA GeForce 7300 LE PCI Slot 10 (PCI bus 1, device 0, function 0)
SOUND CARD = Integrated audio:
BIOS 2.2.1 (03/23/07)

Relevant Software
Avast! Free version, 5.0.545 completely up to date.
Email Client: Thunderbird: version 2.0.0.24 (20100228)
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18 (Don’t use)
Firefox: Version: 3.6.13



MALWARE INFORMATION
SUMMARY
The following threat "Threat: Win32:Hostile[Wrm]" (from an UNopened email message), were in some MozBackUp files *.pcv on a Dell E520
(C | Documents and Settings | My Documents)
And were on:
2 flash drives:
The threats were and are not in the mail folder (C | App data | ThunderBird | Profiles -> mail)
or in the entire Thunderbird folder (C | App data ->Thunderbird)
END OF SUMMARY


DETAILS
Several months ago, got a suspicious email: made a new mail folder for the message and scanned it with Avast! and a mini program from Trend's Web site. Both were negative for the message / folder.
I never opened the message or ran its executable file (fed ex doc.exe(?)) and deleted the message but kept the new folder.
Have been using MozBackUp and copying the back up files (*.pcv) to 2 flash drives

I wanted to transfer files to another PC (Dell Optiplex 780 Windows XP Pro SP3) which runs Trend Microsystems Internet Security (Full version) Program version: 16.60.3021; engine version 9.200.1008; completely up to date
Scanned each flash drive which came up with:
"Item: TSC_GENCLEAN; type: trojan; staus: successfully removed"
7 files:
These were quarantined by Trend.
After Trend "fixed" the problem, re-ran flash drives and they are clean.

Ran the same drives through Avast! on the Dell E520 and they are "clean".
Have run several Full Avast! scans which are always negative…

BUT: running the backup file(s) through Avast! (I.e. right click the file "Thunderbird 2.0.0.24 (en-US) - 2011-05-27.pcv" scan for viruses ) finds (found) a threat: "Threat: Win32:Hostile[Wrm]"
which Avast! moved to the virus chest. (Have one for each suspect backup file and now all the back up files (*.pcv's) are clean.)
The mail (C | App Data | Thunderbird | Profiles -> mail) and
the Thunderbird Program (C | App Data -> Thunderbird) are both clean according to Avast! (right click “scan for viruses")

[The other computer (Dell Optiplex 780 has same email messages (physically networked) with Trend (detailed above) and the "scan for virus" of the mail and the specific .pcv files on the flash drives are all negative.]
END OF DETAILS

END OF MALWARE INFORMATION


I was told to do / run the following in the other message board:
1. Avast! 5.0.545; defs up to date: Virus Def Version: 110616-0 (use routinely)
2. Malwarebytes' Anti-Malware 1.50.1.1100 (I use this one routinely)
3. GMER 1.0.15.15640
4. MBRCheck, version 1.2.3
And
5. aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
6. DDS (Ver_11-05-19.01) - NTFSx86
[…]
7. RkU Version: 3.8.389.593, Type LE (SR2) (RootKitUnhooker)
And finally
8. Combofix.exe 11.6.14.1

NB: I have all the logs - I don't know if you want them

After using Combofix (on June 14th, 2011) there are quite a few problems (aside from the fact that I watched it delete dell drivers)

Problems (that I know of): Avast! does not start up automatically on boot (warm or cold) Despite the settings.


Msconfig --> startup no longer contains any reference to Avast!:
Only the following are checked:
stsystra,
NvCpl = NVIDIA Display Driver Service
ctfmon - “Ctfmon.exe offers language services for Office XP”


It takes much longer to boot
Stalls briefly on the screen with what OS to load
1. Recovery Console
2. ?
3. Windows

I had made a number of Windows restore points and I need advice on whether to use them or really how to proceed. I am really worried about Combofix's restore options - I have the program but want to avoid it....

P.S. I was just to a Web site and windows came up I forgot avast! was not running - I need to reverse combofix please

BC AdBot (Login to Remove)

 


#2 XtanyaX

XtanyaX
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 17 June 2011 - 10:00 AM

Hi,
I used Combofix on 6/14/11 (I take full responsibility for following another windows Forum's advice) And it made some unwanted changes. Most important is that it has stopped Avast! (was 5.0.545 now is 6.x) from running.
In the meantime I got 4 Java\cache threats (because Avast! was not running) --> put in the virus chest.
(Full system scans and specifics of Documents and settings and some other files are clean both 5.x and 6.x)

I will follow up on that but my urgency is:

Whether to restore the Windows registry from before Combofix (from 6/13/11)
Or
Whether to use Combofix's restore option - I don't want to use anything from Combofix
OR
To edit the registry to have Avast! start on boot? (I don't know how)
and in what order?
PLEASE ADVISE!

Thanks



I posted a "dissertation" / "Novel" (sorry) here:
"Reverse Combofix by Restoring Windows registry? ?Infected?"
http://www.bleepingcomputer.com/forums/topic404236.html

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:34 PM

Posted 17 June 2011 - 09:32 PM

First of all what made you run Combofix in the first place?

Edited by elise025, 18 June 2011 - 01:31 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 18 June 2011 - 01:33 AM

Hi XtanyaX,

If Avast is the only program you have a problem with, did you try to uninstall/reinstall it?
If there are any other specific problems caused by combofix, please let me know.

I have merged your original topic with this one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 XtanyaX

XtanyaX
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 18 June 2011 - 10:14 AM

First of all what made you run Combofix in the first place?

Long story.... I shouldn't have - I was being given advice from a well known forum - I would write why I was even running any malware "scanners" but it is all detailed in my other post which has been merged with this one.
Bottom line - I shouldn't have

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 18 June 2011 - 10:24 AM

Can you please include the link to the topic on the forum where you received help originally?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 XtanyaX

XtanyaX
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 18 June 2011 - 11:09 AM

Hi elise025,
Thanks very much for answering!

Hi XtanyaX,

If Avast is the only program you have a problem with, did you try to uninstall/reinstall it?

No for several reasons:
1. I don't want to make too many changes if Combofix's restore option is a possibility
2. According to someone on Avast!'s forum the following occurs:

My Question to Avast!:

I have 7 threats ("infected" files) in the virus chest and I don't know what happens to the virus chest if I uninstall?
The answer

they will end up in virus heaven....or maybe it is virus hell

Not sure if this means they disappear?

I do not know whether I will be able to find out more about the most recent (Java\cache) items in the virus chest....

I also cannot remember where the text versions of the Avast! logs are on the machine... (I am in a panic)
I have this question posted in the Avast! forum.... in case the threats are erased with uninstall / reinstalling. (I did upgrade from 5.0.545 to 6.0.1125 (on 6/16/11))

Current Status of Avast! (v. 6.0.1125)
1. From Msconfig --> startup
There had been:
Start-up Item: avastUI
Command: C:progra~alwil...
Location: HKLMSOFTWAREMicrosoftWindowsCurrentVer...
(This is from my other system but they were identical wrt Avast!)

2. On boot (cold or warm) If I right click a file and choose "scan fileName" the following error message pops up:

X Avast UI process (AvastUI.exe) is currently not running
Please run the application before starting a scan

OK

(I would not be able to do a boot scan and I assume it is not scanning boot files either right now)

If there are any other specific problems caused by combofix, please let me know.

It is slower especially on boot.... (both warm and cold);
Minor: made I.E (7.x) the default browser - easy fix
Stops briefly at the "What OS to use" screen...
I have not tried too many things out.... I have read that there may be interference with some other things...

Should I post the log generated by combofix? I believe it shows what was done?

I have merged your original topic with this one.

Thank you! And again thank you so much for replying!
See I don't know whether it is best to
1. Use combofix's restore (I don't have much trust in it}
or
2. Use System restore (made a number of restore points prior to CF and others)
or
3. Edit the registry
Thanks!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 18 June 2011 - 11:19 AM

Please do NOT post the combofix log. Instead post me this. :)

Can you please include the link to the topic on the forum where you received help originally?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:34 PM

Posted 18 June 2011 - 01:38 PM

@Elise,

This looks like the link to the thread that you're looking for.

http://www.windowsbbs.com/malware-virus-removal/99200-active-isolated-positive-findings-trend-avast.html

Please also see these links:

http://forum.scottmueller.com/viewtopic.php?f=3&t=2129
http://www.pcguides.info/uncategorized/active-isolated-positive-findings-trend-and-avast.html
http://aumha.net/viewtopic.php?f=62&p=239066

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 18 June 2011 - 02:01 PM

Thank you SweetTech.

@ XtanyaX, please post about this problem in this topic, where you received help originally.

It is never a good idea to start multiple topics; people helping you will not be aware of steps other helpers askyou to perform, which can cause confusion, but also serious problems.

To avoid any further confusion, I am closing this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users