Solved Combofix advisability for Windows 8.1

craigwf

New Member
Thread author
Dec 14, 2014
10
Is Combofix a good solution when the OS is Windows 8.1? They specifically state at combofix.org that it is "NOT for Windows 8". I have read of many disasters when others use Combofix, the main complaint being that it automatically deletes all detections without user approval, some times leaving the user unable to boot into Windows.

Additional info: The infection is in a tech newby's pc who I am trying to help. Today I am going to throw a few more tools at the problem: Malwarebytes Anti-Rootkit, TDSSKiller, RKill, Hitman Pro, RogueKiller and Emsisoft Smart Scan. If those don't find the problem, I will be back later with scan logs.
 
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Helllo,

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.


FRST.gif
Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 

craigwf

New Member
Thread author
Dec 14, 2014
10
Sorry, I thought I was going over to her house yesterday but now it doesn't look like I can get there to run a scan for a few days. I hope we can keep this conversation alive until then. In the meantime, I will not run any of the tools I have collected until directed by you. Thanks for helping.
 
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    2.5 KB · Views: 373

craigwf

New Member
Thread author
Dec 14, 2014
10
The fix seems to have worked on Internet Explorer, but opening Chrome took me to a weird page (vosteran.com) that tried to get me to download Adobe Flash (probably a bogus version). So I uninstalled Chrome, including its browsing history. Her primary browser is IE, so if she wants Chrome in the future, she can download it. There is also Firefox on the pc which she didn't know she has. Attached is the fixlog and a new FRST scan that I ran after rebooting from the fix.
 

Attachments

  • Fixlog.txt
    6.4 KB · Views: 191
  • FRST.txt
    30.1 KB · Views: 115
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION


Chrome installation is altered by malware. Reinstall is needed.

Uninstall and install new Chrome.




FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    1.3 KB · Views: 100

craigwf

New Member
Thread author
Dec 14, 2014
10
There is still adware appearing. Attached is the fixlog and a new scan
 

Attachments

  • FRST.txt
    28.5 KB · Views: 125
  • Fixlog.txt
    3 KB · Views: 120

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a612a8b27e2-Zoek.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    Code:
    createsrpoint;
    QuickScan;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
    emptyfolderscheck;delete
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.
 

craigwf

New Member
Thread author
Dec 14, 2014
10
Looking through her Programs and Features, I saw a listing for Media Player Z. When I googled it, every entry I found was in Polish and referred to a media player that throws up all kinds of ads, pop-ups, etc. Though it would not allow me to uninstall it from Programs and Features, I stopped the service in Task Manager and then deleted the folder in Program Files (x86). I could find no reference to it in User/App Data. I then reset both browsers (IE and Firefox) to factory settings as shown in http://malwaretips.com/blogs/ads-by-media-player-removal/. After running the Zoek scan (attached), I then did a registry cleaning and my subsequent browsing in both browsers failed to show any redirects or pop-up ads.
 

Attachments

  • zoek-results.log
    22 KB · Views: 110

craigwf

New Member
Thread author
Dec 14, 2014
10
Argus, she says it came back! She admits to having clicked on a pop-up that told her to update some Flash program. May we carry on from here, or should I start a new Request for Assistance? I plan on seeing her tomorrow and will do a FRST scan at that time. I have heard that some of these viruses can reside on the client's router and thus re-infect the network pc's after the pc has been cleaned of all traces. I hope that isn't the case here.
 

craigwf

New Member
Thread author
Dec 14, 2014
10
I reset the gateway and then looked at Programs and Features and saw a substantial number of programs added within the past week that she denies any knowledge of. I uninstalled (after ending task, if it was running) AnyProtect, ConvertAD, BlockandSurf, Cytiweb, Desktop Temperature Monitor, Games Desktop, Ge-Force (her Lenovo uses AMD video), Storm Watch and SearchModule. I had to then install Revo Uninstaller to remove YT Downloader. I changed her IE Connections tab back to Automatically detect from "Proxy" and returned her homepage to Yahoo. Attached is the FRST.txt after all that was done. Hopefully the script to get the rest out will now be small and easy.
 

Attachments

  • FRST.txt
    31.3 KB · Views: 127
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    4.3 KB · Views: 122

craigwf

New Member
Thread author
Dec 14, 2014
10
Thank you very much. After running the fix, both browsers continued to open to www-search.com instead of the selected home page. I ran ADW and Malwarebytes, reset both browsers, re-installed the printer drivers (the network connection to the printer had been disabled) and now everything is behaving correctly. I pray it stays that way as I don't plan on driving over there again any time soon.
 

Attachments

  • Fixlog.txt
    8.7 KB · Views: 102

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Glad we could help. We will delete all used tools.



Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    51a5ce45263de-delfix.png
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

craigwf

New Member
Thread author
Dec 14, 2014
10
Argus, hard to believe but it came back again, this time worse than ever. After signing in to Windows, so many things are starting up that she gets a black screen for 5 to 10 minutes with only the occasional pop-up inviting her to register PC Protect. I found out how to get to a command prompt with administrative authority and ran system file checker which said some files are corrupt and could not repair them. I was able to copy her important documents to a flash drive and told her she needs to spend some money ($69 from Lenovo) to get the Recovery Media so she can wipe her hard drive and re-install Windows 8.1 from scratch. It amazes me that none of the tools we used was able to find the base file that was opening her pc to all that malware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top