ComboFix on Windows 7 32 bit?
Jintan Welcome to BG forums gamaheu,RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.RSIT will also create a second log , info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).here and download the installer for Gmer to your desktop, then click that file to run Gmer.Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). Back to Top
gamaheu Hi Jintan, Thank you for your responce. Back to Top
Jintan Sorry, I had overlooked it is Windows 7. Few of our tools are set for that just yet, though some like RSIT work on one, and then not on another. And you very much would not want to be running a change making scan like ComboFix on that either.here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top check "Scan All Users ", then click "Quick Scan ". Make no other changes at this time. Back to Top
gamaheu Hi Jintan========== Processes (SafeList) ========== ========== Modules (SafeList) ========== ========== Win32 Services (SafeList) ========== ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== ========== FireFox ========== ========== Files/Folders - Created Within 14 Days ========== ========== Files - Modified Within 14 Days ========== ========== Files Created - No Company Name ========== ========== LOP Check ========== ========== Purity Check ========== ========== Alternate Data Streams ========== Back to Top
Jintan No malware in that view. Although the infection can mask it's presence in a file, let's check the file copies you have there. Again, not really sure working from just some Hitman Pro means infection exists.here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):Look . Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.here and place it on your C drive (so the file is then C:\mbr.exe). cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:cd\ exit and press Enter to close the command window. Back to Top
gamaheu OK great they both workef. Below are the log files. Thanks again. Back to Top
gamaheu OTL ran without error and required a reboot which also ran, though the report was generated immediately following the reboot yet it says that it cannot perform the replace without a reboot. It looks as though it did not work. I did however run the mbr again as well. The reports are below. Back to Top
gamaheu Im thinking that I can't do the replace while the machine is running because the atapi.sys drive is always in use and the OS can not operate without it. Is this a possibility? Back to Top
Jintan Are you actually experiencing redirects when using searches, like Google? OTL's log shows file moved on reboot, but I have been concerned from the start here whether or not this system is in fact infected with the Olmarik file exchange malware. There are some softwares, especially Alcohol/Daemon Tools, that mimic this malware effect.here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:Remove found threats log.txt ). Click Edit - Select All then copy/paste that log back here please.here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan. Back to Top
gamaheu I may have spoke too soon on my last reply. The redirector seems to be gone. Google links are linking properly following the atapi.sys move. That driver was definitely the culprit. I installed and ran the ESET scanner and it found nothing. The log was empty. For the time being, all is well. I want to thank you for all your help. Back to Top
Jintan I do not trust the results of Hitman Pro, but the last mbr.exe log did show the driver file altered. Your choice, but I would suggest you ate least run and post back a new mbr.exe -t scan result to check. Back to Top
gamaheu ok sounds good. Ill do that this evening and post back. Back to Top
Jintan Good enough - post when ready and we will review then. Back to Top
gamaheu Well unfortunately all is lost once more. Last night I shut down the system which I rarely do, and it did about 17 updates, which took a while, and when it was finally back up, the rootkit was back. Google and Yahoo are totally useless and the infected atapi.sys file is back. The problem with this seems that I need to replace this file with a good one and keep it replaced though, somehow, it reverted back to the infected one following an update. Back to Top
Jintan There is a method that I believe will work for Windows 7. Let's get some current info and try it.jpshortstuff's SystemLook again, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):Look . Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:cd\ exit and press Enter to close the command window. Back to Top
gamaheu Okay great Back to Top
gamaheu
Jintan I only just was made aware that ComboFix can be used on Windows 7 systems. Using it is not without risks, but they might be few if any. Let's use that now and check. It also at times can do this file exchange we have been struggling with.here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com , then click the renamed 456out.com to run that scan. Back to Top
gamaheu Okay I will do this, this evening and post back. Thank you for responding. Back to Top
Jintan Just post when ready - I will get the email notification of that. Back to Top
gamaheu Hi Jintan here is the log..... Back to Top
Jintan ComboFix normally shows when a legit file is altered, and is not picking that up with atapi.sys there at this time. But the MBR portion of ComboFix does still show the unknown boot level driver. Presents a bit of a situation about what file is actually being altered there. I will need to review other threads and situations on this one, and will post back tomorrow after doing that. Back to Top
32 posts in this thread. 1 2
Forum Information Currently it is Tuesday, May 21, 2013 12:52 PM (GMT +3)View Active Threads Who's Online This forum has 34613 registered members. Please welcome our newest member, aadi95 .Details 5 Latest Threads
|
Forum Help Manual
