Posted 11 September 2011 - 07:50 AM
Hi everyone. New to the forums (although I have come here for help plenty of times). I have already broken the rule of not using combofix before being told to use it because I did a google search on my problem and it was recommended for each of the people who had similar problems (and I didn't realize I wasn't supposed to do it without supervision). I will give a summary of how this started, what I have done to fix it so far, and where things stand.
I have a Dell Latitude E6500 with windows XP pro, SP3. This is a work computer, and the hard drive is encrypted using safeguard easy 4.3. It has some proprietary software that is only compatible with certain versions of "off the shelf" software. One of the programs we need is Adobe Reader 9.1. As you know, 9.1 is an old version of adobe, but no other version will work with our proprietary software and of course our corporate office likes to make things difficult. So after a google search for 9.1, I attempted the download here: affenknecht.com/temp/files/download-adobe-reader-91.php
That site is where I contracted the virus that I now have. Our virus scan software is required and controlled by our corporate office (but they do not help us clean infected PCs). We run Symantec Endpoint Protection. I also run Immunet 3.0, Secunia PSI and Malwarebytes if I suspect infections or if software needs to be updated (I can update some software on my own without creating conflicts, but not adobe reader).
So after contracting the virus, I immediately noticed that Symantec Endpoint Protection was being blocked. I could not run scans through it, Immunet or Malwarebytes. Immunet would open, but scanning was disabled (greyed out). Malwarebytes opened at first, but my definitions were out of date. When I tried to update the definitions, I got an error and was asked to call support to correct. I closed the program out and then when I would try to run from the start menu, it simply gave me the error that the path of the program was not valid (I checked program files and it was still there, so clearly this was the virus at work - I couldn't even open the program from the root directory). I was still able to connect to the internet, so I downloaded super-anti-spyware, loaded it and ran it (it was allowed to run). It found 517 tracking cookies and erased them all, but no viruses. Malwarebytes still couldn't run so I got the brilliant idea to re-download and install it. That worked. I was able to update definitions to the most recent and run a full scan. It found 17 or so random tracking cookies and 2 trojan horses - Backdoor.0access and Trojan.Agent
Malwarebytes said it cleaned them and deleted the files, but my virus scanners still will not work. I ran SAS again and Malwarebytes a few more times, and came up empty. That's when I decided through websearch and forum posts here to go the ComboFix route. I know it could potentially render my pc unusable and luckily I am backed up, but my PC is not simple to reload with software. If this was my home PC, I would format the drive and start over and not waste my time chasing unicorns. But this PC takes a week or so to bring back to life because of all the proprietary software that has to be tunneled into it through our corporate VPN.
So I ran combofix, but it did not run correctly. I kept getting several errors as it proceeded, including that windows could not find NIRCMD, NIRKMD, NIRCMDB.exe and the screen that said that windows needed to close the process down. It rebooted twice, and ran through all 50 stages (each time giving me the NIRKMD message) and is now on the "COMBOFIX - FIND3M" box. I think that takes me to where I am. I am posting this on another PC while the infected PC continues to run COMBOFIX. It hasn't gotten to any kind of log screen yet. If it does I can post it upon request. I am just wondering if there is any hope whatsoever.