Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with ComboFix after effects


  • This topic is locked This topic is locked
16 replies to this topic

#1 Half-a-Chance

Half-a-Chance

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 25 April 2012 - 06:34 PM

Problems began with the disappearance of my Windows Installer. After many removals of malware, spyware and trojans the problem remained. Spybot always found W3i.IQ5.fraud, but I could not manually delete it since I never found the files and keys Spybot Advisor suggested.

I ran ComboFix after advise from my IT friend. It successfully removed an infection and restored the infected area. Many registry entries were marked for deletion and now I cannot run Windows Security Center. My browser has to be run as Administrator.

I have attached my ComboFix LOG with the hope that some one can help me and Attached File  log.txt   148.59KB   5 downloadsI can get back some functionality to my laptop. I know I am doing things as-backwards, but I'll know better from now on.

I run VISTA, x86, 32-bit on a HP Pavilion dv2000.Attached File  log.txt   148.59KB   5 downloads

Edited by Half-a-Chance, 25 April 2012 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 25 April 2012 - 07:21 PM

Give you computer a reboot and that message should go away and functionality should restore

(it happens sometimes with Vista)

Let's make sure there is nothing lingering:

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 26 April 2012 - 11:39 PM

Thank you. Followed instructions. Results appear below.

Reboot restored functionality.

Ran MBAM. Report:

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.27.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Tom :: TRIDENT [administrator]

Protection: Enabled

4/26/2012 8:47:21 PM
mbam-log-2012-04-26 (20-47-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229895
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Ran ESET. List of Threats Found:

C:\Users\Tom\Downloads\jZipV1c.exe multiple threats
C:\Users\Tom\Downloads\WinZip-Registry-Optimizer.exe Win32/OpenCandy application

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 27 April 2012 - 07:46 AM

Hi,

You can delete those installer files found by ESET


NEXT



Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 27 April 2012 - 09:39 AM

Hi,

Deleted install files found by ESET

Ran DDS with script blocking disabled. Zipped the Attach.txt. Contents of DDS.txt and zipped Attached.txt file here attached.

No outstanding issues at this time. Machine quiet. However, I have not put this machine through paces since diagnostics began. By this evening, any outstanding issues will become apparent.

Thank you!

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 27 April 2012 - 04:42 PM

Hi,

Looks good, we just have some housekeeping to do now, please do the following:


Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 31
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT



You can delete the DDS logs and program from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 27 April 2012 - 10:43 PM

Hi

Thank you for all of your hard work and dedication.

Sorry to break the pace but after a day of hard work with this machine all seemed OK until this evening. After starting this machine tonight, Windows Defender would not automatically load. Going to Security Center, Malware Protection, enable Windows Defender gave:

Windows Defender

Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start service, restart your computer or search Help and Support to start this service manually.

I started it manually.

Later I noticed when switching from page to page in Firefox, remnants of a previous page would appear in a flash before the new page loaded. I had seen this before cleaning this machine.

Also, after downloading a PDF from a page link, my computer froze. Had to use Task Manager to get out and close program (Adobe). This problem was repeatable. From this point forward, my computer would freeze when simply attempting to download a pdf. This also had been seen before cleaning this machine.

I plan on following your house cleaning instructions in the morning. I do not know if what I am experiencing is related to the house cleaning or if it results from MWBAM and Windows Defender conflicting or possibly something remaining?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 27 April 2012 - 10:52 PM

what antivirus do you have installed?

Lets have a look at your services

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 28 April 2012 - 08:31 AM

Had Norton's but it worked so well that I took it off during the cleaning. Plus, it doesn't like anything else running with it. I have Spydoctor also, but disabled it.

I thought best to wait on the housecleaning until I received an OK from you.

Here is the FSS log:
Farbar Service Scanner Version: 24-04-2012
Ran by Tom (administrator) on 28-04-2012 at 09:22:44
Running from "C:\Users\Tom\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Please advise on the housecleaning. Thank you again.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 28 April 2012 - 08:48 AM

I do believe disabling of Windows Defender with Norton is by design, the log isn't showing any issue with Defender, so I believe Norton has changed the settings.

As for FireFox and Reader.

You may need to uninstall and re-install those programs, sometimes when malware hits, it can corrupt certain programs, usually by reinstalling programs that aren't working correctly, it will resolve those issues.

Make sure all your Adobe products are up to date, reader, flash, shockwave, same with Java, you may need to uninstall, then re-install the latest Java as well.

There are no issues showing in the scanner log.

Let me know how that goes, you should be able to reinstall your security programs now without issue.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 28 April 2012 - 07:54 PM

Hi,

I performed all the housecleaning tasks. No difficulties encountered.

After removing earlier versions, updated to Java SE 6 Update 31 and cleaned cache as instructed.
Deleted DDS logs and program from desktop.
Uninstalled Combofix and deleted logs/tools from desktop.

NEXT

Made Internet Explorer safer as instructed
Downloaded TFC and cleaned temp files
Installed WOT add-on to Firefox

NEXT

Re-installed Firefox 11 and WOT add-on, full Adobe, Adobe flash, and Adobe shockwave. Issues seem to be resolved as of this writing.

I will certainly use password keeper for my new passwords and ERUNT for registry back-up. Back-up-made-easy will give me a second to my external drive. Will read PC Safety article. Good-bye to Norton's. Now planning on using Windows Firewall, Windows Defender and MWBAM. Suppose the tech article will say but are these three enough?

One last annoyance. Windows Defender never automatically starts even though the settings never change within Windows Defender Options. I have to manually start it each reboot or start within Security Center.

Thank you again for sticking with me.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 28 April 2012 - 08:05 PM

go into the services window and change the startup type to Auto

>type services.msc into the search box > when services.msc populates in the window above > right click it and choose 'run as an administrator'

scroll down to 'Windows Defender'
right click on it > properties

change the startup type to "Auto" > OK

let me know if that changes it,

but I am going to recommend you add Microsoft security essentials to your security programs, then you wont need defender as MSSE includes it.

Then you will have a good combination of protection programs

http://www.microsoft.com/security_essentials/

with that, you should be good to go :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 28 April 2012 - 09:40 PM

Hi,

Changed setting for Windows Defender in Services to auto. Solved start-up issue.

Installed MSE with updates. Are there known conflicts between MSE and MBAM or are they OK together?

Getting close to the end :)

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:22 AM

Posted 28 April 2012 - 09:44 PM

They work very well together

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Half-a-Chance

Half-a-Chance
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New England
  • Local time:08:22 AM

Posted 28 April 2012 - 10:17 PM

Hi,

That's great. Much appreciation for hanging with me through this. I hope my cooperation and comprehension met your hopes and wasn't too wonky. I learned a lot; I want to believe it outweighs the initial shock of discovering problems. Best wishes for continued success, and thank you immensely for all of your guidance. :heart:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users