Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After using ComboFix no application is running. Logs attached.


  • This topic is locked This topic is locked
5 replies to this topic

#1 adanish

adanish

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 16 February 2014 - 10:35 AM

I used ComboFix. But after completion of combofix operation I am not able to run any application in system. I also noticed that all .exe files are removed from their respective folders.

 

I was trying to paste the logs in this window but I got a message that 'your message is too long ' also I was getting time out error so I am sending the file with attachment.

 

 

Attached:

 

ComboFix Log

DDS Log

Attach log

 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 AM

Posted 17 February 2014 - 08:52 AM

Hi, before attempting any restore a few questions; what infection symptoms did your computer have?

Are you able to access the internet right now? If so, please upload a few of the quarantined files to www.virustotal.com and post the links to the scan results here.

 

I see also a number of cracks on your system, its really no wonder you end up with a file intector (which this looks like) as cracks are often used to spread the latest nasties. If this is, as I suspect a file infector then there's no way to retrieve the deleted files as they'll only reinfect the system.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:15 AM

Posted 17 February 2014 - 09:11 AM

Hi adanish,

I'm afraid I've got bad news for you. It seems that you were hit with a file infector. Notably this one: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm#tab=2

It probably arrived either through mails or through the cracks you've been using.


Win32/Chir (and related variants) is a dangerous file infector which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as well. It will create a readme.eml in every folder that contains HTML files and drops itself all external/shared and RAM drives.
It also spreads itself through email and is likely to be using your PC as a smpt server right now.
-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware. Understanding virus names

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Chirr remains on a computer, the more files it infects and corrupts so the degree of damage can vary. The files deleted by ComboFix were most likely all already infected and that is the reason they were deleted.

Chirr is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies itself as readme.exe. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection. It is also distributing itself over email and may be collecting email addresses on your PC.

In my opinion, Chir is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 adanish

adanish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 17 February 2014 - 09:23 AM

Thanks for your time and guidance.

I only need to know now should I format all my drives or only formatting C: will be enough.

 

Thanks



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:15 AM

Posted 17 February 2014 - 09:39 AM

Hi,

I would probably recommend reformatting C:,D:,E: and F: partitions (or drives), at least if you have the necessary backups on drives that were not attached to your PC recently. If you're lacking backups at least reformat the main drive (C:) and delete all executables (exe,scr, pif,com...) and html/htm/eml files from your drive as those are likely to be infected as well. The chances of being reinfected by some overlooked html/exe file is quite large with these type of infections unfortunately.

regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 AM

Posted 01 May 2014 - 03:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users