Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected possibly with malware, virus, trojan, and spyware


  • This topic is locked This topic is locked
66 replies to this topic

#1 cpchix

cpchix

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 02 November 2011 - 06:00 PM

Hello,

A few weeks ago I posted about a possible infection from malware. Here is the link:

http://www.bleepingcomputer.com/forums/topic424170.html/page__p__2447293__fromsearch__1#entry2447293

I apologize that I did not reply, but after that time, I think (emphasis on think) I have removed the malware. However, my web searches misdirect me to other websites. So I think that I am still infected with something, possibly from the fake program I installed while trying to remove the malware.

As per the instructions I have included the DDS and GMER reports with this post. I do have recovery discs, unfortunately I believe these are just for the Windows Xp program, and not the school software that my school had installed for me. Since I have graduated, I would lose these programs if I were to do a simple Windows Xp reinstall.

Again I thank you for the assistance.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 05 November 2011 - 05:15 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 November 2011 - 02:29 AM

Hello,

I seem to be having even more trouble now. My computer will boot up both in normal and in the various safe modes. However when it is about to load the windows desktop I encounter some errors.

First of all the desk top will appear, but blank: no icons and no wall paper, however the toolbar that appears on the bottom of the screen will show.

Immediately after that, the desktop will go black and a whole series of cascading windows appears with the following message:
__________________________________________________________________________________________________________________________________
Windows - Delayed Write Failed
Failed to save all the components for the file \\System32\\0000390c. The file is corrupted or unreadable. This error may be caused by a PC hardware problem.
__________________________________________________________________________________________________________________________________

After those windows appear, a new window pops up. It does a series of diagnosis and it says:
________________________________________________________________
System Restore

PC Performance and Stability analysis report
________________________________________________________________

Also a balloon appears near the clock and has the following message:
___________________________________________________________________
Hard drive clusters are partly damaged. Segment load failure
___________________________________________________________________

Please tell me what I can do to save my computer!

Thank you.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 10 November 2011 - 06:53 AM

That's still part of the infection

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

were you able to run ComboFix? If not, please try booting into safe mode and running ComboFix from safe mode:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account




This link explains what the infection does and what you see

http://www.bleepingcomputer.com/virus-removal/

Edited by CatByte, 10 November 2011 - 06:59 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 13 November 2011 - 12:46 AM

That's still part of the infection

Please download Unhide.exe to your desktop:

  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

were you able to run ComboFix? If not, please try booting into safe mode and running ComboFix from safe mode:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account




This link explains what the infection does and what you see

http://www.bleepingcomputer.com/virus-removal/


Hello,

I tried to do what you suggested. However, I am unable to do anything once my computer boots up. I cannot even go online to download the file, much less run it from a usb drive or do the suggested steps in safe mode. What should I do, the virus makes it seem like my HDD has failed.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 13 November 2011 - 08:48 AM

What happens when you boot into safe mode?

Are you able to?


If you can boot into safe mode > do the following:


All of the following folders are bad >

show hidden files and folders > navigate to them > right click and delete them

  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.




c:\documents and settings\akato08\application data\O5aaQHH6dWKfR9h
c:\documents and settings\akato08\application data\ilOONNtxP0uc2iD
c:\documents and settings\akato08\application data\q666sWWJ7
c:\documents and settings\akato08\application data\ptttzP00yc1i
c:\documents and settings\akato08\application data\kF44ppmH5sWJdE
c:\documents and settings\akato08\application data\dZZZqhhYC
c:\documents and settings\akato08\application data\pttzzP0ycA1i
c:\documents and settings\akato08\application data\KoonFF4amH6WJfL
c:\documents and settings\akato08\application data\etttxAA0uvSib3p
c:\documents and settings\akato08\application data\zqqjYYCwkIVrO
c:\documents and settings\akato08\application data\ECwwkkIVrz
c:\documents and settings\akato08\application data\m11iibD3onGaQ6s
c:\documents and settings\akato08\application data\LnnGG4aQH6dW7f
c:\documents and settings\akato08\application data\LGGG4aaQH6sK7RL
c:\documents and settings\akato08\application data\m777fELL9gZqjCk

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 November 2011 - 11:00 PM

Hello,

Miraculously, I was able to use my computer today! I quickly went ahead and ran the "unhidden" program to reveal the previously hidden desktop icons. Then I ran "combo fix." It said that I had a root-kit called "rootkit.zeroaccess" in my computer. After I clicked "ok" in the dialogue box, "combo fix" continued to run and it automatically restarted my computer, once it finished its scan. I want to add that I never received a log of what "combo fix" did.

After the restart, I could not access the Internet, so following the directions from "combo fix" I restarted the computer to see if I could use the Internet again. Unfortunately it did not work, so I re-ran "combo fix" a second time. As of this time, I am still unable to access the Internet through my laptop.

What should I do next?

On another note, I was wondering if there was a way to restore my computer to the way it was when I first received it from Dell. It came pre-installed with my school's programs that came with my computer. I do have a "Windows XP" disc that came with it, but I am sure that it does not have the programs that were required for my school.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 16 November 2011 - 11:19 PM

Hi,

No the disk won't have the programs on it that were installed by your school if it is just an XP installation disk provided by Microsoft or the manufacturer of the computer. If it is a disk provided by the school, then it may well have the programs on it.

One of the files required to access the internet was likely infected or corrupted, so we will need to replace it for you to get back on line.

Please look for a ComboFix log at C:\combofix.txt


if you could save the log to a USB, then post it from another computer.


Then download the following onto the USB and transfer over to the infected computer and run it


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 18 November 2011 - 04:29 AM

Hello,

I seem to be having trouble with "combofix" now. When I tried looking for the .txt it is no longer in my computer. The directory you suggested was there, however the icon is now replaced with a computer monitor instead of a folder. When I click on the computer monitor it brings me back to the "my computer" directory.

When I try to re-run "combofix," the program will just stall and stay in the windowed blue screen for what seems like hours. When I try to close the window it ends up freezing my computer. I end up having to do a forced shut down by pressing and holding down my computer's power button.

Here is the report for farbar service scanner:

Farbar Service Scanner
Ran by akato08 (administrator) on 18-11-2011 at 00:22:14
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 02:00] - [2008-04-13 11:19] - 0075264 ____A () 7F8EBB3CD779E2E27322C054C3E70BDB

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to Google returned error: Other errors
Attempt to yahoo returend error: Other errors

**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 18 November 2011 - 04:30 PM

OK,

Let's see if we can find a replacement for ipsec.sys as it appears to be patched.

please download the following to a USB and transfer it over to the infected PC and run it


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *ipsec*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 18 November 2011 - 08:37 PM

Hello,

Here is the report for system look:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:27 on 18/11/2011 by akato08
Administrator - Elevation successful

========== filefind ==========

Searching for "*ipsec*"
C:\INSTALL\OEM\XPPROSP2\I386\IPSEC.SY_ -ra---- 39596 bytes [23:03 26/06/2006] [10:00 04/08/2004] 88DC5CC7670238929F698AFBBC0B5594
C:\INSTALL\OEM\XPPROSP2\I386\IPSEC6.EX_ -ra---- 21063 bytes [23:03 26/06/2006] [10:00 04/08/2004] E48E230113A14197FBCA8815B3D12BD7
C:\INSTALL\OEM\XPPROSP2\I386\IPSECONW.CH_ -ra---- 205553 bytes [23:03 26/06/2006] [10:00 04/08/2004] F086554744F31FB5DF74661AE8629DE0
C:\INSTALL\OEM\XPPROSP2\I386\IPSECSNP.DL_ -ra---- 110247 bytes [23:03 26/06/2006] [10:00 04/08/2004] F2ADB73817B113D1C10D3D331799233B
C:\INSTALL\OEM\XPPROSP2\I386\IPSECSNP.HL_ -ra---- 26659 bytes [23:03 26/06/2006] [10:00 04/08/2004] 8F3B37808EE282DB2D1A7651D592667F
C:\INSTALL\OEM\XPPROSP2\I386\IPSECSVC.DL_ -ra---- 63159 bytes [23:03 26/06/2006] [10:00 04/08/2004] 0645AF0AD57F978779939FCB8B9C079A
C:\INSTALL\OEM\XPPROSP2\I386\IPSECW.CH_ -ra---- 11091 bytes [23:03 26/06/2006] [10:00 04/08/2004] CDAD94A354F3EDC70461923FCB02A630
C:\INSTALL\OEM\XPPROSP2\I386\WINIPSEC.DL_ -ra--c- 11469 bytes [23:04 26/06/2006] [10:00 04/08/2004] 95F57ACCF566146C0AEB28B3B328E907
C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe --a---- 177216 bytes [23:14 27/06/2006] [15:34 20/04/2006] DBFB473D1B6D2FFE2508854178FDDB47
C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe --a---- 173112 bytes [23:14 27/06/2006] [15:34 20/04/2006] 7122B1B2FB742A65DA2099A465BFE9D6
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [07:07 21/12/2008] [10:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\$NtServicePackUninstall$\ipsecsnp.dll -----c- 349696 bytes [07:08 21/12/2008] [10:00 04/08/2004] 46728E8AC5502D5318D5FA8584F443AD
C:\WINDOWS\$NtServicePackUninstall$\ipsecsvc.dll -----c- 182784 bytes [07:08 21/12/2008] [10:00 04/08/2004] D1E299962B5956005113EC4AB1E0D9B7
C:\WINDOWS\$NtServicePackUninstall$\winipsec.dll -----c- 32768 bytes [07:07 21/12/2008] [10:00 04/08/2004] 2B2F31E3F2CE3723C1B0F3700C8BE28B
C:\WINDOWS\Help\ipsecconcepts.chm --a---- 219609 bytes [10:00 04/08/2004] [10:00 04/08/2004] 561086D29B911EBE468A0E4522F6C28A
C:\WINDOWS\Help\ipsecsnp.chm --a---- 18800 bytes [10:00 04/08/2004] [10:00 04/08/2004] 27893081909B5F7430F648DC48688CB6
C:\WINDOWS\Help\ipsecsnp.hlp --a---- 84292 bytes [10:00 04/08/2004] [10:00 04/08/2004] 98EAAA9552B7ADAF2343BBB089AF8143
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [02:17 26/08/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\ServicePackFiles\i386\ipseconw.chm ------- 219609 bytes [02:17 26/08/2008] [10:00 04/08/2004] 561086D29B911EBE468A0E4522F6C28A
C:\WINDOWS\ServicePackFiles\i386\ipsecsnp.dll ------- 349696 bytes [02:17 26/08/2008] [00:11 14/04/2008] EF90321EE87DF18CE318E44DB4B33455
C:\WINDOWS\ServicePackFiles\i386\ipsecsvc.dll ------- 183808 bytes [02:17 26/08/2008] [00:11 14/04/2008] 332760FBA1655FCFD35BD6F4FD871300
C:\WINDOWS\ServicePackFiles\i386\napipsec.dll ------- 30208 bytes [02:18 26/08/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\ServicePackFiles\i386\winipsec.dll ------- 32256 bytes [02:18 26/08/2008] [00:12 14/04/2008] 248712EA6BA17B9FF0C542A3828375DD
C:\WINDOWS\system32\ipsec6.exe --a---- 44032 bytes [10:00 04/08/2004] [10:00 04/08/2004] 9869330E6E45029FD1640AA80130146E
C:\WINDOWS\system32\ipsecsnp.dll --a---- 349696 bytes [10:00 04/08/2004] [00:11 14/04/2008] EF90321EE87DF18CE318E44DB4B33455
C:\WINDOWS\system32\ipsecsvc.dll --a---- 183808 bytes [10:00 04/08/2004] [00:11 14/04/2008] 332760FBA1655FCFD35BD6F4FD871300
C:\WINDOWS\system32\napipsec.dll ------- 30208 bytes [02:18 26/08/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\system32\winipsec.dll --a---- 32256 bytes [10:00 04/08/2004] [00:12 14/04/2008] 248712EA6BA17B9FF0C542A3828375DD
C:\WINDOWS\system32\dllcache\ipsec6.exe --a--c- 44032 bytes [10:00 04/08/2004] [10:00 04/08/2004] 9869330E6E45029FD1640AA80130146E
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [10:00 04/08/2004] [19:19 13/04/2008] 7F8EBB3CD779E2E27322C054C3E70BDB

-= EOF =-

On a side note, would it be possible if (or when) I buy a new laptop, could I just use that new computer's system restore disc and install it onto this infected computer? That may save us some trouble in getting rid of all this malware. Please don't misunderstand, I really appreciate the help you are giving me. =)

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 18 November 2011 - 09:03 PM

On a side note, would it be possible if (or when) I buy a new laptop, could I just use that new computer's system restore disc and install it onto this infected computer? That may save us some trouble in getting rid of all this malware. Please don't misunderstand, I really appreciate the help you are giving me. =)

I don't believe Microsoft allows installation of their OS on more than one computer.

Please do the following:

Please do this in safe mode if you cannot get it to run in normal mode

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

script removed

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Edited by CatByte, 25 November 2011 - 03:02 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 25 November 2011 - 03:33 AM

Hello,

I have been trying to run "Combofix" as you have instructed in the previous post. However, the program always freezes. I would leave my computer on for a few hours, yet nothing happens. Once the program runs I do not touch my computer, but the program still freezes, even in safemode. What am I doing wrong?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:31 AM

Posted 25 November 2011 - 03:01 PM

Hi


Please try the following script instead, please make sure your security programs are disabled




  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Edited by CatByte, 28 November 2011 - 04:24 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 cpchix

cpchix
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 01 December 2011 - 03:53 AM

Hi


Please try the following script instead, please make sure your security programs are disabled




  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Hi,

I have done what you asked,but Combofix does not appear to work. When I put the .txt file into Combofix; it runs for a bit on the blue screen, stalls and then closes the program.

I checked to see if there are any logs left, and this is all I can find in the C:\Combofix folder:

Cf27578
3xeFile
380kb

That is the information that is seen on the file. It is not even a standard text icon, instead it is the picture of a dos icon.

I have done this numerous times and even in Safemode but to no avail. Should I have the laptop connected to the internet to allow Combofix to update? But that would not make sense as I cannot connect to the internet in the first place. Should I try connecting through a wire and not wirelessly?

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users