Combofix breaks internet
Tags:
- Security
- Apps
Last response: in Antivirus / Security / Privacy
canadian69
July 9, 2012 2:02:37 PM
Ran into an interesting computer issue today (Win XP sp3), this machine has some sort of redirect spyware/malware running on it, which takes the user to web pages that they don't wish to visit. Malwarebytes didn't detect anything nor did Symantec Endpoint. I am running the MSR.exe right now, but thus far no infections have been found, browser behavior clearly disputes this.
SO anyway I went to run combofix, but it wont run (yes I have the latest), it extracts, updates and fails on the restart. I have tried running it in safe mode as well, but can't get it to launch properly. My conclusion is this machine has some malware capable of messing with combofix.
I also noticed a strange effect each time I try to run combofix, it temporaily kills my wifi, I am still connected, but the network icon disappears from the system tray, I have to go through control panel to get it back and after this Firefox no longer connects. I tried flushing the DNS, no go, restarting brings the network back up, but I am still saddled with the redirect issue.
Notably, there is nothing in the process list that seems strange. There is nothing wrong with the host file or with the network config. Nothing jumps out in the hijackthis log.
Any ideas?
SO anyway I went to run combofix, but it wont run (yes I have the latest), it extracts, updates and fails on the restart. I have tried running it in safe mode as well, but can't get it to launch properly. My conclusion is this machine has some malware capable of messing with combofix.
I also noticed a strange effect each time I try to run combofix, it temporaily kills my wifi, I am still connected, but the network icon disappears from the system tray, I have to go through control panel to get it back and after this Firefox no longer connects. I tried flushing the DNS, no go, restarting brings the network back up, but I am still saddled with the redirect issue.
Notably, there is nothing in the process list that seems strange. There is nothing wrong with the host file or with the network config. Nothing jumps out in the hijackthis log.
Any ideas?
More about : combofix breaks internet
canadian69
July 12, 2012 11:52:44 AM
I have tried Chrome and Opera and IE and they all seem to be working, however the redirects are intermittent with FF 13.0.1 so I can't confirm 100%.
So if we assume that FF is compromised somehow, I still have the remaining issue of not being able to run Combofix (not even in safe mode). I recognize that this may be coincidental and caused by some other issue, but we know that the browser is redirecting due to some piece of malware, yet nothing detects it and I can't run the tool that arguably works best, lol.
Where to from here I wonder?
So if we assume that FF is compromised somehow, I still have the remaining issue of not being able to run Combofix (not even in safe mode). I recognize that this may be coincidental and caused by some other issue, but we know that the browser is redirecting due to some piece of malware, yet nothing detects it and I can't run the tool that arguably works best, lol.
Where to from here I wonder?
m
0
l
Related resources
Best solution
canadian69
July 12, 2012 2:47:16 PM
So it seems that TDSS killer found whatever malware it was causing the problem (Win32.ZAccess.aml), once that was cleaned and rebooted, combofix was able to run correctly and found a pile of other stuff.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\app
c:\documents and settings\Admin\Application Data\app\Jerakine_lang.dat
c:\documents and settings\Admin\Application Data\app\Jerakine_lang_vesrion.dat
c:\documents and settings\Admin\Application Data\vso_ts_preview.xml
System running fine now.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\app
c:\documents and settings\Admin\Application Data\app\Jerakine_lang.dat
c:\documents and settings\Admin\Application Data\app\Jerakine_lang_vesrion.dat
c:\documents and settings\Admin\Application Data\vso_ts_preview.xml
System running fine now.
Share
!