medcomputers
asked on
Problem using ComboFix
I have run ComboFix and everythin seemed fine until I received message saying rootkits had been detected on my system and ComboFix would restart my computer. There was a warning saying NOT to reboot manually. I left my computer overnight, about 10 hours, but nothing had changed. So I decided to restart the computer.
The computer started normally but ComboFix restarted from scratch. It is now stuck at Stage 49. The HDD activity light is on permanently and nothing appears to be happening.
I'd be very grateful for any advice as to what to do next?
Matthew
The computer started normally but ComboFix restarted from scratch. It is now stuck at Stage 49. The HDD activity light is on permanently and nothing appears to be happening.
I'd be very grateful for any advice as to what to do next?
Matthew
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi optoma
Thanks for post. ComboFix did eventually complete properly and I am attaching the log. It seems very long, 13 pages.
The reason I was running it is that i have been having problems with my internet searches under Firefox being constantly hijacked. Whether I use a search engine or type straight into the address bar I'm often sent off to totslly irrelevant site.
Do you think I should submit a new question, now I have sorted ComboFix, or can you help at all?
Thanks
Matthew
log050410.txt
Thanks for post. ComboFix did eventually complete properly and I am attaching the log. It seems very long, 13 pages.
The reason I was running it is that i have been having problems with my internet searches under Firefox being constantly hijacked. Whether I use a search engine or type straight into the address bar I'm often sent off to totslly irrelevant site.
Do you think I should submit a new question, now I have sorted ComboFix, or can you help at all?
Thanks
Matthew
log050410.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just remove the unwanted ad dons in Mozilla
ASKER
Hi greyknight17:
I have done as you suggest and attach OTL.txt and Extras.txt.
samsymon: Not sure how to remove Mozilla add ons. Could you advise? Do I need to remove all add ons?
Thanks
Matthew
Extras.Txt050410.txt
I have done as you suggest and attach OTL.txt and Extras.txt.
samsymon: Not sure how to remove Mozilla add ons. Could you advise? Do I need to remove all add ons?
Thanks
Matthew
Extras.Txt050410.txt
ASKER
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi optoma
I had completely forgotten about Avira AntiVer which I have now deleted. Just running Sophos.
Looks like redirects have now stopped which is great.
I have scanned with Hitman and nothing new came up.
I'm just going to search the internet some more and look for greyknight17's response to OTL logs.
I'll get back to you all tomorrow.
Thanks
Matthew
I had completely forgotten about Avira AntiVer which I have now deleted. Just running Sophos.
Looks like redirects have now stopped which is great.
I have scanned with Hitman and nothing new came up.
I'm just going to search the internet some more and look for greyknight17's response to OTL logs.
I'll get back to you all tomorrow.
Thanks
Matthew
Hi,
Combofix sorted the patched system file which caused the redirects.
Theres probably some remanants and if so Greyknight will spot them in the logs :
No harm to run a scan with Sophos and post its logfile after if anything detected
U drive >is that a removable drive?
If so run Flash disinfector
On any device like that(removable) run flash Disinfector
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
-Download to desktop
-Run it
-Follow prompts
-When asked, plug in removable usb device
-It will prompt when scan is finished
-Repeat for next removable usb
Combofix sorted the patched system file which caused the redirects.
Theres probably some remanants and if so Greyknight will spot them in the logs :
No harm to run a scan with Sophos and post its logfile after if anything detected
U drive >is that a removable drive?
If so run Flash disinfector
On any device like that(removable) run flash Disinfector
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
-Download to desktop
-Run it
-Follow prompts
-When asked, plug in removable usb device
-It will prompt when scan is finished
-Repeat for next removable usb
ASKER
Hi optoma
I ran flash disinfector as you suggest. It picked up my external hard drive but then nothing else happened. No dialogiue box to say scan finished, just nothing. How long should it take, is this normal?
Also I have run Sophos Anti Rootkit which identified over 500 hidden processess. Each one had a different diagnosis and I wasn't sure what to do. Do you think I should let it clean up the ones it will let me clean up?
A Sophos antivirus scan showed nothing unususal.
Thanks
Matthew
I ran flash disinfector as you suggest. It picked up my external hard drive but then nothing else happened. No dialogiue box to say scan finished, just nothing. How long should it take, is this normal?
Also I have run Sophos Anti Rootkit which identified over 500 hidden processess. Each one had a different diagnosis and I wasn't sure what to do. Do you think I should let it clean up the ones it will let me clean up?
A Sophos antivirus scan showed nothing unususal.
Thanks
Matthew
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi guys
Thanks for all your help. Redirects fixed. Also PC seems to be running much more smoothly and i have a much better idea bout how to use ComboFix should I need to again in the future.
Before I close the question and allocate your points could you give me any tips on how to manage/deal with rootkits? Should I just leave them alone? Some of those detected by Sophos Anti Rootkit came with a warning sign saying they were dangerous and should be removed but I didn't change anything at the time.
Thanks
Matthew
Thanks for all your help. Redirects fixed. Also PC seems to be running much more smoothly and i have a much better idea bout how to use ComboFix should I need to again in the future.
Before I close the question and allocate your points could you give me any tips on how to manage/deal with rootkits? Should I just leave them alone? Some of those detected by Sophos Anti Rootkit came with a warning sign saying they were dangerous and should be removed but I didn't change anything at the time.
Thanks
Matthew
If you want post Sophos' logfile and we can try and get somebody else to view logs if Greyknight dosn't get to.
You can leave thread open if you want for a bit :)
You can leave thread open if you want for a bit :)
ASKER
Hi optoma
Thanks for post. I'm attaching screen prints I have taken of Sophos AntiRootkit. As you can see you cannot see all detections in the form of a logfile. I have scrolled through the list and notice that all rootkits detected are on my G drive where I have installed a RC of Windows 7. I'm shortly going to format the drive partition and reinstall a final version of Windows 7. When I have done that I will do another scan and review the situation.
Matthew
Sophus-AntiRootkit-Scan-080410.docx
Thanks for post. I'm attaching screen prints I have taken of Sophos AntiRootkit. As you can see you cannot see all detections in the form of a logfile. I have scrolled through the list and notice that all rootkits detected are on my G drive where I have installed a RC of Windows 7. I'm shortly going to format the drive partition and reinstall a final version of Windows 7. When I have done that I will do another scan and review the situation.
Matthew
Sophus-AntiRootkit-Scan-080410.docx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For a rootkit scanner, Gmer is a lot better scanner compared to some rootkit scanners...... unless you're familiar with tools like AVZ or IceSword.
Any decent walkthrough/more info on AVZ thats in English RPG? pm? :)
ASKER
Hi rpggamergirl:
I have run ConboFix again as you suggest above and am attaching logfile. Do you think I need to take any further action?
Thanks
Matthew
ComboFix.txt
I have run ConboFix again as you suggest above and am attaching logfile. Do you think I need to take any further action?
Thanks
Matthew
ComboFix.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi rpggamergirl:
I have run CCleaner and everything is looking good.
One last question. Is it advisable to uninstall ComboFix. I notice it has added Recovery Console to my boot options. Could I just leave that, it might be useful at some stage in the future?
Thanks
Matthew
I have run CCleaner and everything is looking good.
One last question. Is it advisable to uninstall ComboFix. I notice it has added Recovery Console to my boot options. Could I just leave that, it might be useful at some stage in the future?
Thanks
Matthew
Good that all is ok Matthew :)
@ Rpg
agreed! Consequences can be drastic unaided.
@ Rpg
agreed! Consequences can be drastic unaided.
Uninstalling ComboFix will not uninstall the Recovery Console....it's recommended to be uninstalled so users will not mess around with CF as it is a very powerful tool only to be used under the guidance of a Helper.
And so users won't have the chance of running an outdated version at anytime... as it is very risky to run an outdated ComboFix.
sUBs updates ComboFix so often specially when new variant surfaces. You can keep CF in the system if you wish, so long as you update it before running a scan at later time and not mess around with CF commands.
And so users won't have the chance of running an outdated version at anytime... as it is very risky to run an outdated ComboFix.
sUBs updates ComboFix so often specially when new variant surfaces. You can keep CF in the system if you wish, so long as you update it before running a scan at later time and not mess around with CF commands.
ASKER
Hi everyone
Looking good at the moment. I'd just like to thank all of you for all your help especially optoma and rpggamergirl.
I have followed all rpggamergirl suggestions including uninstalling ComboFix.
Time to close the question. I'll try and allocate points as fairly as possible.
Thanks again.
Matthew
Looking good at the moment. I'd just like to thank all of you for all your help especially optoma and rpggamergirl.
I have followed all rpggamergirl suggestions including uninstalling ComboFix.
Time to close the question. I'll try and allocate points as fairly as possible.
Thanks again.
Matthew
You're welcome Matthew :)
ASKER
Learnt a lot following great advice from Experts Exchange Experts. Clear and thorough thread.
Thanks
Matthew
Thanks
Matthew
No problem, glad we could help, :)
Thank you for using Experts-Exchange!
Thank you for using Experts-Exchange!
Did you install recovery console?
If it hangs again, after an hour I tend to close it and boot into safe mode with networking and run it. Keep an eye on it so when it reboots machine, go back into safe with networking for it to complete.
Post its logfile after