Solved

Combofix log

Posted on 2011-02-15
41
1,444 Views
Last Modified: 2013-11-22
Trying to rid myself of the search engine redirect virus. I've run malwarebytes, eset, superantispyware, avg, spybot s&d to no avail. I ran combo fix as per the instructions in articleID=3299. Here is my log. I'd appreciate any help I can get. Thanks! Mark

 ComboFixMSJ.txt
0
Comment
Question by:msibley
  • 13
  • 11
  • 10
  • +2
41 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 34896268
If one of our Experts who is a ComboFix "Trusted Helper" checks in, they can give you a script to run - based on the log you posted.

Until then, you might want to start with TDSSKILLER - very good for 're-direct' malware,  found here:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Let us know the results and we can take the next steps.
0
 

Author Comment

by:msibley
ID: 34896917
Forgot to mention that I ran TDSSKiller beforehand and it didn't find anything. Thanks. Mark
0
 
LVL 38

Expert Comment

by:younghv
ID: 34896992
Thanks Mark.
Sounds as though you know what you're doing.

The only "Trusted Helper" I know of posting here is rpggamergirl, so watch for her to post a script for you.

Out of curiousity, do you have the MBAM log that you could attach as a file here - and did you use the "Save As" function to rename your anti-malware apps before downloading?
0
 

Author Comment

by:msibley
ID: 34897090
Oops, didn't save the mbam log. It found some stuff, mostly tracking cookies and the like. All that superantispyware found was tracking cookies. I uninstalled the various anti-mw apps before running combofix. I reinstalled avg and am now running a full system scan. Didn't know to save those apps to a different filename when downloading... so much for the theory that I know what I'm doing. ;-) Mark
0
 
LVL 38

Expert Comment

by:younghv
ID: 34897193
<laughing>
Understood. On a good day I figure I'm about a 7 on a scale of 1-100.

The need to rename both MBAM and CF (before) downloading is because they are so darn good. The malware writers actually include code to watch for either of those names being copied to the computer, then prevents them from being loaded/run.

Your CF log (I think) shows a couple of apps running out of the profile (temp) files, which I don't like to see.

Have you run any of the various "Temp/Junk" file removers?
My personal preference is for www.ccleaner.com

I've personally used for several years and has been rock solid.
It also has a "Registry" function that will clean up/verify accurate registry entries. If you use THAT, make sure you also accept the 'save' function of the old registry.
0
 

Author Comment

by:msibley
ID: 34903263
Just now getting home from the office. AVG ran a full scan and basically didn't find anything.  I'll run ccleaner to see if it finds anything and post the results. The redirection of links in Google has stopping, which is a good sign. Mark
0
 
LVL 38

Expert Comment

by:younghv
ID: 34905303
<<I'll run ccleaner to see if it finds anything and post the results.>>

Minor correction -
CCleaner doesn't really look for anything specific during the cleaning function (no report to review) - it just throws out everything it finds.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 34905700
I'm not a trusted helper in regard to Combofix, but I've used it many times with excellent results.

When all else has failed, I have run it in Safe Mode, even though this is not recommended, and it has killed the threat without killing the OS, though on one occasion the networking broke and had to be fixed afterwards.
A particularly useful feature I've found in Combofix is the comprehensive log that it generates when it's finished, because it shows the attributes of the files it lists; looking at anything with system and hidden attributes set has revealed, on occasion, randomly named files that were implicated in the threat even if they weren't specifically identified as such, so allowing them to be dealt with accordingly.

Another tool to try is HijackThis - it doesn't fix anything but it is particularly good at detecting browser hijacks and reporting on them. This Wikipedia article tells you about it in more detail, and links to the official site.

Hope this helps.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 34905705
Oops, forgot the link...

http://en.wikipedia.org/wiki/HijackThis
0
 
LVL 38

Expert Comment

by:younghv
ID: 34905831
<<A particularly useful feature I've found in Combofix is the comprehensive log that it generates when it's finished,>>

You mean just like the one attached to the original post up at the start of this question?
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 34905973
Ahem, *blush* - you're right, Younghv! The quickness of the eye deceives the brain cell...
0
 
LVL 38

Expert Comment

by:younghv
ID: 34906614
Heh - have another cup of coffee (my treat).
0
 

Author Comment

by:msibley
ID: 34906638
Thanks for the additional input. The more eyes we have on the problem, the better--even if some of the eyes are too fast for their respective occipital grid ;-)

Any recommendations on options for finding a "trusted helper" to look over the log? Another site, perhaps?

Mark
0
 
LVL 15

Assisted Solution

by:Perarduaadastra
Perarduaadastra earned 25 total points
ID: 34906686
I would be inclined to view the    c:\windows\system32\nvdrssel.bin   and the   c:\windows\Rmequ.bin  
files with a ceratain degree of suspicion, mainly because of their reported sizes; 1 byte and 0 bytes don't seem large enough to be useful. There seem to be references to Linux in the report, and the Rmequ.bin file may be connected with that, but otherwise I would be inclined to put them in the Recycle Bin initially, and if everything still ran as it should, delete them.
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 25 total points
ID: 34908198
I do not like to "muddy the waters here", however -
"Combo Fix" (CF) is not MBAM, Super AS, TDSS, RKILL, AdAware, Spybot S&D, HijackThis;
or any other "Anti-Malware" tool.
Not knowing where you downloaded the copy of CF -
(there are 2 places that are advised to download from - the rest are "mirrors",
and they may not have the most updated version).
For one thing - you're running "CF" out of a "Folder" - it should be run from your "Desktop".
Also, it should not be run unless you're instructed to do so by someone (rpggamergirl!)
who has the required expertise to use it.
Improper use of "CF" can do more "unpleasant" things to a computer, than loss of the ability
to connect to the Internet - unfortunately, I speak from experience!
You should probably wait for "rpggamergirl" - follow this person's instructions.

rossfingal
0
 

Author Comment

by:msibley
ID: 34909996
I followed the advice in the article by rpggamergirl mentioned in my original post and downloaded ComboFix from the site recommended (bleepingcomputer.com) and followed the instructions there in running it. CF updated itself to the most recent version when I ran the script. Mark
0
 
LVL 38

Expert Comment

by:younghv
ID: 34910170
@msibley,
I have no idea what occasioned that last "Expert" comment, but as the EE Page Editor who actually published the Article you used, I can say that without question you followed her advice to the letter (to include posting this question WITH your CF log).

I think it is fair to conclude that since I was designated as a Page Editor by TPTB at EE to approve the content, accuracy, and efficacy of all Articles in the Virus & Spyware Zones that I am also qualified to offer technical advice to our Members.

Just in case anyone else wants to challenge my technical expertise, I encourage them to review the Article used for this question:

http://www.experts-exchange.com/A_3299.html

as well as the two Articles I have published of a similar nature:

http://www.experts-exchange.com/A_1940.html
http://www.experts-exchange.com/A_1958.html

I also find it helpful to review the EE Profile of other Experts (just click on their name in the header of a comment) to get some indication of their actual performance here on EE:

http://www.experts-exchange.com/M_3628488.html
0
 

Author Comment

by:msibley
ID: 34918748
I deleted the 2 files mentioned by Perarduaadastra without any apparent ill effects.

Mark
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 34918975
Has anything worked yet?
0
 

Author Comment

by:msibley
ID: 34919208
After running ComboFix, the search engine redirection quit affecting my browsers, which is a good thing. I'm wanting to follow up with the advice of having the log read so that I can clean up any residual threats.

Mark
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Assisted Solution

by:younghv
younghv earned 200 total points
ID: 34919318
msibley,
I sent a note to 'rpg' asking her to check in, but not sure if that is going to happen.

After this many days of no symptoms, I would suggest that you took all the right steps by following that Article.

If you haven't yet, go back to the Article and click on the 'Yes' button - that will earn her a few Expert points.

I don't think any of us added any information that you didn't already have, so no need to award any of us points.

To keep this information in the EE database, you can simply click on the "Accept as Solution" link below your last comment - or - click on the "Accept and Award" link and pass around some points to helpful comments.

Your choice entirely.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34919855
As a somewhat late arrival, and with reference to your original ComboFix log file entry, i suspect your browser re-direction was due to the BHO and registry entries, shown here>>

<quote>
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
<unquote>

Haven't yet confirmed that all of these are nasty ...but still working on it  :)
If you have a more recent log file, it could make interesting reading!

i agree with younghv's comments, & it would be great to see the re-appearance of rpggamergirl ...among other things, a great script writer!
0
 

Author Comment

by:msibley
ID: 34920418
So, should I run ComboFix again to produce another log?

BTW, what is BHO?

Mark
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34920551
A BHO is a Browser Helper Object:
http://en.wikipedia.org/wiki/Browser_Helper_Object

A ComboFix log would certainly be useful, and could show us if the above nasties have been removed (i'm now pretty certain that all those listed earlier are nasty).

On the other hand, if your computer is now running well, naturally i'm hesitant about re-running Combo  ....but this would leave us all in some doubt about how well your machine has been disinfected!

Hmm ..on balance i would go for another Combo scan.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34920589
If you do, please download from here, and save to your Desktop, not a temporary folder>
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

A refresher ;)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34921904
msibley,
Have to log off for the night shortly, but earlier this script was put together.
However i must emphasise that it is based on the entries in your first ComboFix log file.   Since you now report that the browser problem seems resolved, some (or hopefully all) of these entries should have been deleted.
Please do not use this script until we have reviewed any new Combo log file that you may generate, its simply offered as a guide, and would probably need some modification on a second ComboFix run.


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\program files\Ask.com\GenericAskToolbar.dll

Folder::
c:\windows\Rmequ.bin

Registry::
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[- HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]


==================================================

3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, to remove the problem.
5. Finally, please attach the newComboFix logfile.

Will drop by in the morning ...
0
 

Author Comment

by:msibley
ID: 34922576
Out of town ... Be back in 24hrs.

Mark
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34923841
No problem ...we'll be here.
0
 

Author Comment

by:msibley
ID: 34933770
Ran a second ComboFix. The log is attached.

Mark
ComboFixMSJ.txt
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34933820
Thanks.  Including interuptions it'll take maybe an hour or two.   Will post asap.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34934001
Okay thanks ....well, the new log file appears to be the same as your first scan, except the c:\windows\Rmequ.bin folder appears to be missing, presumably deleted by ComboFix on the last run ...but lets include that entry as before.

Therefore, please run this script(which i've repeated below).
If you'd like a reminder of how you can drag the CFScript.txt just created into ComboFix.exe, just open & scroll down on the "bleepingcomputer" link above.


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\program files\Ask.com\GenericAskToolbar.dll

Folder::
c:\windows\Rmequ.bin

Registry::
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[- HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]


==================================================

3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, to remove the problem.
5. Finally, please attach the newComboFix logfile.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34934071
@Jonvee,
What is the concern with the "Ask.com" toolbar?
The site has been around forever and I hadn't heard it associated with malware before.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34934205
@ younghv
Yesterday i was convinced that Malware had camouflaged themselves as the GenericAskToolbar.dll file, especially as it was located in the C:\windows\system32 folder.   The associated BHO appeared to me to be the only reason for Mark's browser redirect.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 34934211
Something about "ASK" -:
Quote

    * It promotes its toolbars on sites targeted at kids.
    * It promotes its toolbars through ads that appear to be part of other companies' sites.
    * It promotes its toolbars through other companies' spyware.
    * It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
    * It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
    * It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com - http://www.benedelman.org/spyware/installations/askjeeves-banner/
Unquote
Just something that's been found - user's choice.
Regards!
rossfingal
0
 
LVL 38

Expert Comment

by:younghv
ID: 34934237
Thanks JV - I'm always interested in learning more, but sorry to see that "Jeeves" might be at fault...

wait for it....

(the butler did it?).
0
 

Author Comment

by:msibley
ID: 34934590
Here is the latest log from CF--after running the script Jonvee provided. How's it look?

Mark
ComboFixMSJ2.txt
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 250 total points
ID: 34934881
@ msibley ... The latest CF log file shows that the appropriate components have been deleted(as expected), but what about signs of your redirect Malware?  Has there been any improvement in browsing?   i'll have another look at the log again shortly.

@ younghv ... Hmm, believe it or not i was beginning to suspect Gussie Fink-Nottle ;)
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34934987
The CF log looks ok.   Off now until morning.
0
 

Author Comment

by:msibley
ID: 34935184
Browser works OK.

Thanks to all for your assistance.

Mark
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34936017
After reading the comments in your thread again it can be seen that it was your first run of CF that resolved the main issue of browser redirection, and as younghv said there was no need to award any of us any points!
However ... thanks!  It was an interesting thread.

You should now uninstall ComboFix as follows >
Start > Run > then type "ComboFix /Uninstall" (with no quotes, and space between x and / )
Then hit enter.  
This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 

Author Comment

by:msibley
ID: 34936752
Thanks. Got 'er done.

Mark
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now