Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should I try to revert from an accidental use of ComboFix, and if so, how?


  • Please log in to reply
5 replies to this topic

#1 Moongazer

Moongazer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 23 October 2016 - 09:36 AM

I recently bought a "refurbished," 6-year-old laptop - a Dell Latitude E6410 - from a company that recycles second-hand (usually ex-business) computers to people on low incomes. It came with Windows 7 Pro installed, including Microsoft Security Essentials. Despite keeping Security Essentials up to date, just a few days ago, my Firefox browser was infected by the web-start.org shortcut-hijacker described here, and also by the two adwares SmartNew Tab virus and cpmofferconvert.com, (I suspect all three are related.)

When I realised how the web-start hijacker was operating, I immediately edited the shortcuts, but, concerned that the malwares were still lurking in my system, I started downloading and installing the anti-malware programs mentioned here, intending to follow that removal procedure. Initially, I just ran DDS.com and FRST64.exe.

But then I also downloaded ComboFix. I ran it, assuming that it was an installation file, not realising that it is a portable program, which would immediately do its thing with no further input from me (that was not mentioned anywhere). I was horrified, on reading the report it generated, to see how aggressive it had been, deleting many DLL files from ProgramData folders (which I imagine were there for a purpose) and doing I-know-not-what to the registry. It did however, make a system restore point first and, IIRC, its own backup of the registry.

I found and zipped up the Qoobox folders (3.1MB) (after some initial struggling with the folder permissions), and it is attached below together with the ComboFix report. I have also uploaded them to this webpage (tiny.cc/combofix-mg), which also contains the two DDS reports and the two FRST reports. (I hope these will be some help to responders)
 
I find it hard to believe that ALL of the files deleted by ComboFix were infected. It even deleted Teamviewer.exe, which had been pre-installed by the computer vendor (presumably for support purposes.)

I now know that I should not have run ComboFix without expert advice to do so. But I am now seeking that expert advice as to which of three things to do next:

a.  Should I do nothing, and just accept that ComboFix did the right thing, and that the computer can do without the files it deleted?

b.  Should I use Windows 7 system restore to revert back? (Will that also bring back the files from the quarantine box?)

c.  or should I use the tool CFDQ-UsrPrf.exe mentioned here to restore things to the way they were? Is there any info on exactly what it does? (I am concerned that it was originally provided for a different purpose and may not work for me.)

 

Presumably, in all 3 cases (or at least b and c), I should then use other anti-malware programs to remove the malware.
 

(Edit: In addition to all this grief from using ComboFix, I now see that in spite of all its deletions, it did not kill the adware viruses - my browser is now again unexpectedly opening ads in new tabs, which also include the extremely annoying fake virus-alert warning (with audio), (falsely) claiming to be from Microsoft.)

 

I am an experienced computer user, but I feel a little out of my depth at this stage, and would welcome whatever help I can get.

 

Attached File  ComboFix-Report-1.txt   32.14KB   4 downloads

Attached File  Qoobox.zip   3.1MB   0 downloads


Edited by Moongazer, 24 October 2016 - 09:00 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 PM

Posted 24 October 2016 - 10:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

IMHO ComboFix just clean your computer of your Temporary files and any bad files that were found.

Teamviewer you do not want.
http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-chrome&search=Teamviewer.exe

===

Run these tool to clean some of the popups if not all.


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Let me know what problems persists with this computer.

#3 Moongazer

Moongazer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 25 October 2016 - 06:59 AM

Thank you, Nasdaq, This is what I have done and observed:

I ran MBAM, AdwCleaner and FRST. (The logs are attached.) I then ran MBAM again, because I noticed in the first report: "Rootkits: Disabled", so I made sure to enable that and ran it again. (Both reports are attached.)

None of them found anything really malicious, with one exception (the browser shortcuts) mentioned below.

MBAM listed 724 PUPs, which I did nothing about. They are all related to four programs:
Solvusoft, RegHunter, DellSystemDetect and Tweakbit.

(I'm not sure what Tweakbit is. It doesn't appear in Control Panel's list of installed programs, and there is no file or folder by that name on the hard drive, so I can't uninstall it. It might possibly be related to the utility TweakUAC.exe, but I doubt it.)

In my first post, I wrote that I had manually cleaned my hijacked browser shortcuts. But when I saw the AdwCleaner report, I realised I had overlooked some of them, and I manually cleaned all the five listed by AdwCleaner, as I noted in the report, to which I have added a few comments.

Even after having cleaned all the shortcuts, I observed adware activity in my browser, and from the Firefox history, I can tell that it is the cpmofferconvert.com pop-up redirect, and also the smartnewtab.com redirect which these anti-malware programs do not seem to have eliminated.

 

[Edit: it just occurred to me that although I closed Firefox for the scans and then restarted it, I should also reboot. Maybe that will help.]

Attached Files


Edited by Moongazer, 25 October 2016 - 07:14 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 PM

Posted 25 October 2016 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3564358110-916085399-2262388151-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Extension: (SaveFrom.net helper) - C:\Users\Mottel\AppData\Roaming\Mozilla\Firefox\Profiles\Mottel-02\Extensions\helper@savefrom.net.xpi [2016-10-07]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
Task: {4CF3C4C0-5F17-465D-B611-7C8EF9093171} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\JustCloud\Signup Wizard.exe
C:\Users\Mottel\AppData\Roaming\Mozilla\Firefox\Profiles\Mottel-02\Extensions\helper@savefrom.net.xpi
C:\Program Files (x86)\JustCloud

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Your version(s) of Adobe Flash are out-or-date and vulnerable.
Go to Start > Control Panel > Programs and Features and uninstall the following programs:
Adobe Flash Player 18 ActiveX

Go to this page with Firefox to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

Please post the Fixlog.txt and let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 PM

Posted 01 November 2016 - 10:00 AM

Are you still with me?

#6 Moongazer

Moongazer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 02 November 2016 - 06:17 AM

My apologies. I am still with you, but I have had to put further action on hold to attend to some urgent personal matters that have taken up most of my attention for the past weerk. There have been no new instances of the adwares redirection hijacking since I (manually) cleaned up the rest of the Firefox shortcuts, but even so, I will still apply your script if you still recommend it. I anticipate that I will attend to this on Friday because I will be in hospital for most of tomorrow.

 

Meanwhile, on November 1st, purely as a temporary measure, I edited the signup wizard scheduled task, which was set to run (for the first time) that evening, and changed its scheduled dates to the 15th of each month.

 

I have some questions about the script you advised me to apply, but I cannot go into them right now. I will post again Thursday evening or Friday.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users