Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix


  • Please log in to reply
1 reply to this topic

#1 shovelhead54

shovelhead54

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 20 October 2014 - 12:59 PM

Have a question about a combofix file that I found...It is called CF-UPDATE..Here it is.. There are many more. If not normal can you help...

 

 
@SWREG QUERY "HKLM\SOFTWARE\swearware\Backup\Winsock2" >N_\%random% 2>&1 ||(
SWREG ACL "HKLM\SOFTWARE\swearware" /RESET
SWREG COPY "HKLM\SYSTEM\CurrentControlSet\Services\WinSock2" "HKLM\SOFTWARE\swearware\Backup\Winsock2" /s
)>N_\%random% 2>&1
 
@ECHO.%random% -H "Host: download.bleepingcomputer.com" http://208.43.120.24/sUBs/>Mirrors00
REM @ECHO.%random% -H "Host: www.infospyware.com" http://216.69.159.122/sUBs/>>Mirrors00
REM @ECHO.%random% -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/>>Mirrors00
@SORT /M 65536 Mirrors00 /O Mirrors
@DEL /A/F Mirrors00
 
 
FOR /F "TOKENS=2 DELIMS= " %%G IN ( Mirrors ) DO IF NOT EXIST version.txt (
ComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" %%Gversion.txt | GREP "^[0-9][0-9].* [0-9]" >version.txt || DEL /A/F version.txt
)>N_\%random% 2>&1
 
IF NOT EXIST version.txt (
ComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/version.txt | GREP "^[0-9][0-9].* [0-9]" >version.txt || DEL /A/F version.txt
)>N_\%random% 2>&1
 
IF NOT EXIST version.txt GOTO :EOF
 
FOR /F "TOKENS=4" %%G IN ( Version.txt ) DO IF /I "%%G" GEQ "%VER_CF%" (
REM Start NIRCMD infobox "--- WARNING !! ---~n~nA critical update is required.~n~nComboFix shall now update itself.~n~n--- WARNING !! ---" "Mandatory Update"
START NIRCMD INFOBOX "%Line63%" ""
DEL /A/F "%sfxname%" >N_\%random% 2>&1
NIRCMD BEEP 2000 1000
GOTO UpdateCFB
)
 
 
@FOR /F %%G IN ( version.txt ) DO (
IF /I "%%G" EQU "%VER_CF%" ECHO.%%G >LatestVer
IF /I "%%G" LEQ "%VER_CF%" GOTO :EOF
)
 
ECHO.>NoUpdateCF
:: NircmdB.exe QBOXCOMTOP "There's a newer version of ComboFix available.~n~nWould you like to update ComboFix?" "Update" RETURNVAL 1 && GOTO :EOF
NircmdB.exe QBOXCOMTOP "%Line62%" "" FILLDELETE NoUpdateCF
IF EXIST NoUpdateCF GOTO :EOF
 
 
 
 
:UpdateCFB
FOR /F "TOKENS=2 DELIMS= " %%G IN ( Mirrors ) DO @(
DEL /A/F version.txt ComboFix.exe >N_\%random% 2>&1
CLS
ECHO.
ECHO.%Connecting to ComboFix servers% . . .
ECHO.
ComboFix-Download -s --connect-timeout 10 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" %%Gversion.txt | GREP -s "^[0-9][0-9].* [0-9]" >version.txt &&(
ComboFix-Download -# -o ComboFix.exe --connect-timeout 10 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" %%GComboFix.exe
)
IF EXIST ComboFix.exe @FOR %%H IN ( ComboFix.exe ) DO @FOR /F "TOKENS=2" %%I IN ( version.txt ) DO @IF [%%~ZH]==[%%I] GOTO UpdateCFC
)
 
@IF NOT EXIST ComboFix.exe (
DEL /A/F version.txt >N_\%random% 2>&1
CLS
ECHO.
ECHO.%Connecting to ComboFix servers% . . .
ECHO.
ComboFix-Download -s --connect-timeout 10 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/version.txt | GREP -s "^[0-9][0-9].* [0-9]" >version.txt &&(
ComboFix-Download -# -o ComboFix.exe --connect-timeout 10 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/IEXPLORE.EXE
)
IF EXIST ComboFix.exe @FOR %%H IN ( ComboFix.exe ) DO @FOR /F "TOKENS=2" %%I IN ( version.txt ) DO @IF [%%~ZH]==[%%I] GOTO UpdateCFC
)
 
@DEL /A/F Mirrors version.txt ComboFix.exe >N_\%random% 2>&1
:: @Start NIRCMD infobox "Failed to download updated copy.~n~nWill continue with existing copy" "Failed Download"
@START NIRCMD INFOBOX "%LINE64%% ""
@GOTO :EOF
 
 
 
:UpdateCFC
@NIRCMD killprocess NIRCMD
@CLS
@DEL /A/F "%sfxname%" >N_\%random% 2>&1
@MOVE /Y ComboFix.exe "%sfxname%" >N_\%random% 2>&1
@ATTRIB +r "%sfxname%" >N_\%random% 2>&1
@REM Start NIRCMD infobox "ComboFix shall now restart" "Updated"
@START NIRCMD INFOBOX "%LINE65%" ""
@PEV WAIT 6000
@NIRCMD KILLPROCESS NIRCMD
@START ComboFix %sfxcmd%
@EXIT
 
 
I appreciate any info .. 
Again Thankyou


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:45 AM

Posted 20 October 2014 - 05:32 PM

All discussions about Combofix...how it works, the routines it performs, what it can or cannot do, what the log results mean, future plans, development, etc, are in private areas not for the general public to read. Why? Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read these forum topics looking for clues (knowledge) on how to circumvent our tools and removal techniques. We don't want to provide any information they can use against us so we deliberately do not provide specific information on the specific inner workings of our tools and how we use them in areas where attackers can see that information. As such, our discussion in public areas is limited and sometimes may appear vague or not fully address a specific question so it should not be taken personal.

The only public information that is available can be found in this authorized Guide and tutorial on How to use ComboFix hosted by BleepingComputer.

If you want to learn more about ComboFix you will have to enroll in the BleepingComputer's Malware Removal Training Program (if space is available) or one of the other various Unite Schools where such training is offered. In that environment experts will train those interested in assisting others with malware removal and how to use specialized fix tools like ComboFix. Once training has been completed, you will have access to the ComboFix discussion thread to learn more specific information about the tool and ask any questions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users