Solved

Virus/Malware Preventing ComboFix from running

Posted on 2009-07-14
6
2,529 Views
Last Modified: 2013-12-06
I am taking a look at a friend's laptop who was complaining that one day several desktop shortcuts appeared out of nowhere and that Windows Defender and AVG popped up with alerts.

My first reaction was to run ComboFix is Safe Mode, however even though it is a fresh download, ComboFix displays a warning that the computer may be infected with a file-patching virus like "Virut".  Malwarebytes found 30 items and removed them, however ComboFix still will not run.

I attempted to run Trend Micro Housecall, however the browser will not navigate to that page, it hangs up on searching for 'search.avg.com'.  Usually ComboFix is my go-to, but if it won't run even in Safe Mode I'm concerned.  Are there are any boot disks that have it pre-installed?

Attached is the HiJackThis log, any input on how to remove this malware would be greatly appreciated.
hijackthislog.txt
0
Comment
Question by:Chernesky
6 Comments
 
LVL 23

Expert Comment

by:Admin3k
ID: 24849731
try renaming combofix first
0
 

Author Comment

by:Chernesky
ID: 24850067
I should have mentioned that in the original post, I always rename ComboFix before running it because I've had problems with viruses recognizing the name before.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24850069
Have you tried renaming Combofix before saving to your desktop?

Fix these entries in Hijackthis:
R3 - URLSearchHook: (no name) - *{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)  R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,  O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com  O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com 


C:\WINDOWS\system32\sdra64.exe <-- and remove this file.



You can also try DrWebCureIt, it's a very tool for detecting and removing virut.
http://www.freedrweb.com/
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 

Author Comment

by:Chernesky
ID: 24850092
I will head over there now to remove those files, expect an update shortly.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24850148
Can you acces this link below, use the Combofix instructions there and see if it runs.

http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_24455711.html
0
 
LVL 1

Expert Comment

by:BigPopov
ID: 25320572
Another approach that works sometimes, if renaming doesn't fix the problem,

Start in Safe Mode
- Click/Enter username
-- ASAP, CRTL + ALT + DEL to get the taskbar, even before the desktop loads. This is very important. Any programs that run in the applications list, kill it. If you can kill it quick enough, or even get CF turned on before the rogue program does, it will sometimes allow you to run CF.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Kaspersky Anti-Ransomware Tool for Business 10 136
How scan virus from software download from internet? 11 52
Full list of ransomwares to date 6 127
Endpoint security products 4 58
There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool. Download HijackThis from a TrendMicro link or from known reliable sources only. http://free.…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now