Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Link Infected??


  • Please log in to reply
13 replies to this topic

#1 w8ing4winter

w8ing4winter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Milwaukee WI
  • Local time:01:08 PM

Posted 11 January 2012 - 04:38 PM

Hey guys. Long time user, first time poster.
Today I went to download combofix from link
1 on this site. Avast! came up with alert for
rootkit. I am aware of false positives, but I
have never gotten one from Avast! about Combofix
before. So I went ahead anyways, put it on a
flashdrive, moved to infected computer, and
combofix itself said not to run program. Its strange,
but could the link on Bleeping Computers be
infected? Just wondering. Thanks in advance.

Michelle

Edit: Moved topic from Breaking Virus & Security News to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:08 PM

Posted 11 January 2012 - 05:13 PM

Hi w8ing4winter,

So I went ahead anyways, put it on a
flashdrive, moved to infected computer, and
combofix itself said not to run program.


Could you please provide me with the exact text of the message Combofix gave you when you tried to run it?

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 11 January 2012 - 05:32 PM

@ w8ing4winter and any other members reading this topic.

avast! reported my download as Win32:Rootkit-gen which I posted about here earlier today. You can read my reply to another user as to why so rest assured BC's download links are not infected.

However, please answer Blade's question which could help us determine what else may be going on.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 w8ing4winter

w8ing4winter
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Milwaukee WI
  • Local time:01:08 PM

Posted 11 January 2012 - 06:18 PM

Ok, slight misinformation on my behalf.
The "Warning" was not from Combofix, but
from windows. It says exactly:

Warning - Compatiblility Mode
Do not run Combofix in Compatibility Mode
Doing so may damage the machine.

Im not exactly sure what that means (Ill
probably google that too see, also thanks
for a link to your post. I did try to browse
through the forums initially and didnt see
anything on first glance. I will read through
yours after posting this. But yeah, Ive used
BC for a while now for CF, and I love it.
I didnt really believe it would be infected
with all the brain power on here ;) But its
just weird that Ive downloaded it many times
with my same config and never have seen that
before.

Do you think MY pc could be infected? Ive been
having that feeling lately as my computer has
been acting strange, but nothing obvious.

Thanks so much guys, for everything. Im off to
read your post quietman.

#5 w8ing4winter

w8ing4winter
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Milwaukee WI
  • Local time:01:08 PM

Posted 11 January 2012 - 06:58 PM

I read through the post with the link you provided
and found it to be very informative. Thanks guys so
much for your help. And big thanks to combofix
developer and Bleeping Computer team. BEST tool
available for removing rootkits (in my opinion).

Much appreciated
Michelle

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 11 January 2012 - 07:03 PM

Compatibility mode allows an older program written for an earlier versions of Windows to run on a new version. Running ComboFix in Compatibility mode may result in applying certain registry fixes specifically intended for a different operating system which can result in serious damage. As such, ComboFix will provide a warning message:

Posted Image
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 w8ing4winter

w8ing4winter
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Milwaukee WI
  • Local time:01:08 PM

Posted 11 January 2012 - 08:31 PM

Wow, thanks, you did all the lag work for me lol.
But I still have to do a little research, because
its a regular WinXP 32-bit, IE8. Its been updated
recently, so Im not sure why the compatibility mode.
The OS isnt really that old.

Again, thanks for everything. Its much appreciated.

Michelle

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,743 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:08 PM

Posted 12 January 2012 - 02:33 AM

Thanks for the assist QM7 :)

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 12 January 2012 - 07:57 AM

No Problem Blade. :thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Dou9las

Dou9las

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 13 January 2012 - 01:19 AM

Hello,
I am brand new to the forum, but have been using ComboFix for 2+ years now. Like w8ing4winter, I love it and consider to be hands down the best tool available for dealing with malware. I am not trying to hijack this thread, but I have what is seemingly the exact same issue(s) happening when I try to download and run Combofix.

Like the OP, my system is Windows XP, 32 bit. I too thought their was a problem with the link, because when I went to download the latest tonight, in both Chrome and FireFox, the download would not complete, and I got an error stating that the "file could not be read".

When I tried to execute the version I had saved locally (an older .exe file) I also got the message "do not run in compatibility mode" for the first time ever tonight, and right before trying to run it, my system had prompted me to reboot for a Windows Update, which I did.

Also, while I understand conceptually what compatibility mode is, I am not trying to execute ComboFix.exe in compatibility mode (i.e. by right-clicking and choosing that option.) I have no idea why it is trying to do that automatically. Can anyone help me understand why that is all of a sudden happening?

Also one note, when I run the .exe, and prior to getting the error message about compatibility mode, I am seeing an error message while ComboFix "unpacks" (for lack of a better term) where it states that a specific file was unable to be extracted, and offers the choices to try again, abort, or exit. This has happened 3 times in a row, and I always choose "try again" and shortly after that, it terminates with that compatibility message.

Any help would be appreciated at least in understanding why this behavior, which is new to me, is now happening. In the future, I am happy to follow the bleepingcomputer protocol for diagnosing and cleaning, getting supervision etc.

Thank You!

-Doug

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 13 January 2012 - 06:09 AM

Welcome to BC Dou9las

Part of what you describe could be due to your anti-virus. Failure to temporarily disable it and any other anti-malware real-time protection before performing a scan can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Dou9las

Dou9las

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 13 January 2012 - 12:44 PM

Ah, thank you Quietman. Normally, CF prompts me to disable it but did not this time. I actually did not see the tray icon active (Avast) so I thought it was already disabled, but I did not double check it, will do.

#13 Bilbo T Baggins

Bilbo T Baggins

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 25 January 2012 - 09:50 PM

I have combofix command nircmd "mysteriously" show up in me machine all whilist never using or downloading the program?? Any hows ideas?
Spooky stuff hey..

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 PM

Posted 25 January 2012 - 10:51 PM

NirCmd is a command-line utility that can be used to perform many different tasks such as executing programs, writing to and deletion of values and keys in the registry, creating file shortcuts, restarting a computer, shutting it down, and much more. Since NirCmd is so versatile it is embedded with various specialized fix tools used during malware analysis and disinfection. Unfortunately this utility can also be used for nefarious purposes by those with malicious intent so it is not uncommon for security tools to detect it as a potential threat.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users