Problem using ComboFix

I have run ComboFix and everythin seemed fine until I received message saying rootkits had been detected on my system and ComboFix would restart my computer. There was a warning saying NOT to reboot manually. I left my computer overnight, about 10 hours, but nothing had changed. So I decided to restart the computer.
The computer started normally but ComboFix restarted from scratch. It is now stuck at Stage 49. The HDD activity light is on permanently and nothing appears to be happening.
I'd be very grateful for any advice as to what to do next?
Matthew
medcomputersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

optomaCommented:
It could hang there for an hour!
Did you install recovery console?

If it hangs again, after an hour I tend to close it and boot into safe mode with networking and run it. Keep an eye on it so when it reboots machine, go back into safe with networking for it to complete.


Post its logfile after
0
greyknight17Commented:
Run the following tool also:

Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in

netsvcs%SYSTEMDRIVE%\*.exe/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.syseNetHook.dllahcix86.sysKR10N.sys/md5stopCREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
          o When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 * Please attach the files here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
medcomputersAuthor Commented:
Hi optoma
Thanks for post. ComboFix did eventually complete properly and I am attaching the log. It seems very long, 13 pages.
The reason I was running it is that i have been having problems with my internet searches under Firefox being constantly hijacked. Whether I use a search engine or type straight into the address bar I'm often sent off to totslly irrelevant site.
Do you think I should submit a new question, now I have sorted ComboFix,  or can you help at all?
Thanks
Matthew
log050410.txt
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

samsymonCommented:
just remove the unwanted ad dons in Mozilla
0
samsymonCommented:
just remove the unwanted ad dons in Mozilla
0
medcomputersAuthor Commented:
Hi greyknight17:
I have done as you suggest and attach OTL.txt and Extras.txt.

samsymon: Not sure how to remove Mozilla add ons. Could you advise? Do I need to remove all add  ons?

Thanks

Matthew
Extras.Txt050410.txt
0
medcomputersAuthor Commented:
Hi greyknight17

OTL.Txt attached.

Matthew
OTL.Txt050410.txt
0
optomaCommented:
No need to open new thread.

Redirects stopped now?

>Do you currently have two resident Anti-Virus products installed:
Sophos+ Antivir?
If so, remove one as can cause conflicts.

>I don't see anything too obvious in Combofix's logfile but wait for GreyKnight to get back to you to review them :)

>If you want run a scan with Hitmanpro. If it detects anything, post back the full path+filename
http://www.surfright.nl/en/hitmanpro

0
medcomputersAuthor Commented:
Hi optoma
I had completely forgotten about Avira AntiVer which I have now deleted. Just running Sophos.
Looks like redirects have now stopped which is great.
I have scanned with Hitman and nothing new came up.
I'm just going to search the internet some more and look for greyknight17's response to OTL logs.
I'll get back to you all tomorrow.
Thanks
Matthew
0
optomaCommented:
Hi,
Combofix sorted the patched system file which caused the redirects.
Theres probably some remanants and if so Greyknight will spot them in the logs :

No harm to run a scan with Sophos and post its logfile after if anything detected

U drive  >is that a removable drive?

If so run Flash disinfector
On any device like that(removable) run flash Disinfector
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
-Download to desktop
-Run it
-Follow prompts
-When asked, plug in removable usb device
-It will prompt when scan is finished
-Repeat for next removable usb
0
medcomputersAuthor Commented:
Hi optoma
I ran flash disinfector as you suggest. It picked up my external hard drive but then nothing else happened. No dialogiue box to say scan finished, just nothing. How long should it take, is this normal?
Also I have run Sophos Anti Rootkit which identified over 500 hidden processess. Each one had a different diagnosis and I wasn't sure what to do. Do you think I should let it clean up the ones it will let me clean up?
A Sophos antivirus scan showed nothing unususal.
Thanks
Matthew
0
optomaCommented:
Leave external hard drive unplugged from machine.
Open Flash Disinfector
When prompted plug in external drive
On that external drive there should now be a hidden "autorun.inf" folder
Once its there Flash Disinfector done its job.

Don't remove anything yet. Rootkit scans can show legit processess so if deleted, can leave system unusable/unstable!
0
medcomputersAuthor Commented:
Hi guys
Thanks for all your help. Redirects fixed. Also PC seems to be running much more smoothly and i have a much better idea bout how to use ComboFix should I need to again in the future.
Before I close the question and allocate your points could you give me any tips on how to manage/deal with rootkits? Should I just leave them alone? Some of those detected by Sophos Anti Rootkit came with a warning sign saying they were dangerous and should be removed but I didn't change anything at the time.
Thanks
Matthew
0
optomaCommented:
If you want post Sophos' logfile and we can try and get somebody else to view logs if Greyknight dosn't get to.

You can leave thread open if you want for a bit :)
0
medcomputersAuthor Commented:
Hi optoma
Thanks for post. I'm attaching screen prints I have taken of Sophos AntiRootkit. As you can see you cannot see all detections in the form of a logfile. I have scrolled through the list and notice that all rootkits detected are on my G drive where I have installed a RC of Windows 7. I'm shortly going to format the drive partition and reinstall a final version of Windows 7. When I have done that I will do another scan and review the situation.
Matthew
Sophus-AntiRootkit-Scan-080410.docx
0
rpggamergirlCommented:
The search redirect was caused by the patched system driver "atapi.sys" which comboFix had taken care of.

There's one locked reg entry with embedded null showing in the CF log that you can have Combofix take care by running the script below.
Had a quick glance at the OTL and Extras log, nothing grabs.

Sophos Anti-Rootkit is false positively flagging those files as rootkits, Sophos does that to files with $TFX_DATA attribute.
 
Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
0
rpggamergirlCommented:
For a rootkit scanner, Gmer is a lot better scanner compared to some rootkit scanners...... unless you're familiar with tools like AVZ or IceSword.
0
optomaCommented:
Any decent walkthrough/more info on AVZ thats in English RPG? pm? :)
0
medcomputersAuthor Commented:
Hi rpggamergirl:
I have run ConboFix again as you suggest above and am attaching logfile. Do you think I need to take any further action?
Thanks
Matthew
ComboFix.txt
0
rpggamergirlCommented:
Matthew,
Good, ComboFix took care of that reg entry.
You can also run CCleaner to clean up temp folders.
The issue is resolved, so if everything's okay after a day or so you may then uninstall ComboFix.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall
 
After uninstalling ComboFix you can do some more cleanup:
•Double click on OTL to run it.
•Click on the Cleanup button.
•You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
•This will remove itself and other tools you may have used.
 

@ optoma:
Sorry I don't have a link...the program is in English. Though I would suggest one should use it under the guidance of a Helper, unless the user is very familiar with the tool.
0
medcomputersAuthor Commented:
Hi rpggamergirl:

I have run CCleaner and everything is looking good.
One last question. Is it advisable to uninstall ComboFix. I notice it has added Recovery Console to my boot options. Could I just leave that, it might be useful at some stage in the future?
Thanks
Matthew
0
optomaCommented:
Good that all is ok Matthew :)

@ Rpg
agreed! Consequences can be drastic unaided.
0
rpggamergirlCommented:
Uninstalling ComboFix will not uninstall the Recovery Console....it's recommended to be uninstalled so users will not mess around with CF as it is a very powerful tool only to be used under the guidance of a Helper.
And so users won't have the chance of running an outdated version at anytime... as it is very risky to run an outdated ComboFix.
sUBs updates ComboFix so often specially when new variant surfaces. You can keep CF in the system if you wish, so long as you update it before running a scan at later time and not mess around with CF commands.
0
medcomputersAuthor Commented:
Hi everyone
Looking good at the moment. I'd just like to thank all of you for all your help especially optoma and rpggamergirl.
I have followed all rpggamergirl suggestions including uninstalling ComboFix.
Time to close the question. I'll try and allocate points as fairly as possible.
Thanks again.
Matthew
0
optomaCommented:
You're welcome Matthew :)
0
medcomputersAuthor Commented:
Learnt a lot following great advice from Experts Exchange Experts. Clear and thorough thread.
Thanks
Matthew
0
rpggamergirlCommented:
No problem, glad we could help, :)

Thank you for using Experts-Exchange!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.