Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: rassel on January 08, 2008, 09:55:28 AM
-
??? is combofix safe to use now i have downloaded but after downloaded i saw some web page that the combofix has roodkits or i dunno whats that :P ? can any one tell me is the combofix safe to use now?
-
If you download from the official site, it's a security/cleaner tool. It's safe, although it could be for advanced users (not simple).
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
:D Wow after i finish running the combofix it safe a lot of space in my computer and increase 30% faster than before!!!! :o
-
:D Wow after i finish running the combofix it safe a lot of space in my computer and increase 30% faster than before!!!! :o
But the most important is to post the logs here and get clean, otherwise, the viruses will come back.
-
The definitive guide for combofix can be found here http://www.bleepingcomputer.com/combofix/how-to-use-combofix And it is the only official guide
-
Tech you ask me to post the logs here but i cant find it i close it already so how to get it back ???
-
Look in c:\combofix
-
Ok here is the post
-
Please Download NoLop[/color] to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/)
Link 3 (http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16)- First close any other programs you have running as this will require a reboot
- Double click NoLop.exe to run it
- Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>[/color]
- When scanning is finished you will be prompted to reboot only if infected, Click OK
- Now click the "REBOOT[/color]" Button.
- A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program. --
-
Is this program safe to use :o? Will it delete some of the files that i need ? Im afraid that it will deleted some of my computer program that i need to use ;D
-
No you have a LOP infection that needs to be removed. The programme is safe
-
Well ok i trust you i will try to use it now
-
Erm essexboy i wanna say that i dont really know what the mean of (Please Post the contents of C:\NoLop.log along with a fresh HijackThis log) please give some idea
-
OK nolop will generate a log at this location C:\NoLop.log
Download & Run HijackThis.exe
- Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
- Doubleclick HJTInstall.exe to install it.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed, it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
-
Hey i cant post it. It is too long for me to post here it says that not more than 100000 word. So how can i do make a Additional Options? or what?
-
You can save the log into a .txt file and attach it to your next post, under additional options click attach select browse and select your log file.
Or you can split the log into multiple posts.
-
Sry i cant post the log on here so i did this an this the log you want.....
-
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O4 - HKCU\..\Run: [waitdead] C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1\Joybeep.exe
O4 - HKLM\..\Run: [eggs joy math type] C:\Documents and Settings\All Users\Application Data\Bind army eggs joy\two plan.exe
O8 - Extra context menu item: ·¢ËÍͼƬµ½ÊÖ»ú - C:\Program Files\P4P\cx.htm
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
1. Please open Notepad- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Folder::
C:\Documents and Settings\All Users\Application Data\Bind Army Eggs Jo
C:\Documents and Settings\Administrator\Application Data\Greatonline
3. Save the above as all files CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
(http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif)
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new HijackThis log.
-
OK thanks and here is the post but im not sure weather i did it correctly or not. ;D
Oh ya and you said that about CFScript.txt is from where i have no idea so what i did is go to the folder that you give me (C:\Documents and Settings\All Users\Application Data\Bind Army Eggs Jo) and (C:\Documents and Settings\Administrator\Application Data\Greatonline) and i extract the files into the notepad.txt. Is that correct?
-
No what you needed to do was copy the text in the quote box to a notepad file and then save it as cfscript, then drag and drop that on the combofix icon
Then it would have deleted these two folders and any associated files
C:\Documents and Settings\All Users\Application Data\Bind army eggs joy
C:\Documents and Settings\Administrator\Application Data\GreatOnline
They are both LOP folders which are not good
Also you do not appear to have removed these lines from Hijackthis
R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O4 - HKCU\..\Run: [waitdead] C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1\Joybeep.exe
O4 - HKLM\..\Run: [eggs joy math type] C:\Documents and Settings\All Users\Application Data\Bind army eggs joy\Type Scr.exe
O8 - Extra context menu item: ·¢ËÍͼƬµ½ÊÖ»ú - C:\Program Files\P4P\cx.htm
O8 - Extra context menu item: ʹÓÃËѹ·Ö±Í¨³µÏÂÔØ - C:\Program Files\P4P\dl.htm
Until you remove them you are still infected
-
Ok ;) im very thanks for your help to my laptop and here is the newest post you want it and if anything wrong tell me. :P and i have follow what you have said
-
Can you manually delete these two folders
C:\Documents and Settings\All Users\Application Data\Bind army eggs joy
C:\Documents and Settings\Administrator\Application Data\GreatOnline
Once they are gone you look to be clean
-
Wow thats really dangerous when i open this file C:\Documents and Settings\Administrator\Application Data\GreatOnline avast suddenly pop up and said that there is trojan. Thanks a lot essexboy and i cant delete this folder C:\Documents and Settings\All Users\Application Data\Bind army eggs joy and it says that
it is begin use by another person or other program so how can i delete it?
-
rassel
Please boot to safe mode and try to delete it from there. Remember to empty the recycle bin when you are done.
-
ok thanks a lot from you all :) and i there is another problem which is i deleted this folder (C:\Documents and Settings\Administrator\Application Data\GreatOnline) and its not over there and after the next day i go check and the folder is over there so i deleted it again and today is appear at (C:\Documents and Settings\Administrator\Application Data )this folder again. How to avoid it from my laptop ???
-
Rerun combofix again and I will have a look see
-
Ok and sry for the late reply :P :D
And do u need hijackthis log ? If u want than tell me.
-
LOP is still there if this does not work I will have to use a different hammer
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\Tasks\AED442E7918FFD47.job
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1
c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe
- Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-
This is the post 8)
C:\WINDOWS\Tasks\AED442E7918FFD47.job moved successfully.
[Custom Input]
< C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1 >
File/Folder C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1 not found.
< c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe >
File/Folder c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe not found.
OTMoveIt2 v1.0.14 log created on 01242008_165934
-
OH ya i forget to tell u that the greatonline have been removed from my computer and not in there anymore
Thanks essexboy
-
Ok and then LOP is gone - trry not to get another one ;D
-
He he ok thanks for your help ! ::) ;D