Think you may have malware but are unsure? windows

[ZeroDamage]

Run Combofix on your computer. Had a user who was apparently visiting a lot of porn sites. Of course she wasn't and the typical anti-virus programs were not detecting anything. I knew though that they were not coming in on a Sunday night into the office to watch porn so I decided to just run Combofix to see what would happen.

 

It found this and removed it. It is apparently a clickjacker and has been around for a year or more. Still, the anti-virus vendors do not detect it as shown by virustotal.

 

https://www.virustot...sis/1348494257/

 

How do you run combofix? Carefully! While it is recommended that you not use it without first being guided by the support at bleepingcomputer.com, it should be safe for most anyone to run it and see if it finds anything. You may be surprised.

 

Disable your antivirus before running it and close all other programs. Make sure your important files are backed up. I've never had it kill a computer but you never know.

 

Myself nor GC can be held responsible if anything does go wrong. There is always that chance; do this at your own risk.

 

 

http://www.bleepingc...nload/combofix/

 

Here is a guide to using Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Edited September 24, 2012 by ZeroDamage

[amertrash]

Actually if you just go to the Bleeping Computers forums someone will walk you through the removal process for free, you may even get me as I'm one of the helpers.

 

If you're more confident in yourself here's some tools commonly used by myself and on the forums.

Hijackthis - The old classic, very useful for quick tune ups along with MSConfig(Windows Key + R, type "msconfig", press enter)

IceSword - Anti-rootkit, useful for when things like ComboFix won't run

gmer - Anti-rootkit, same one combofix uses (catchme.sys), useful on the hard stuff

TDSSKiller - kaspersky's 0Access/TDSS remover - doesn't catch all the variants but does a decent job. Select the unsigned drivers option to give you a quick list of drivers that can be gone through to make sure they're valid adn signed.

RogueKiller - French, this fixes some of the TDSS/0Access variants - one of the newer ones that doesn't create a hidden partition, also fixes the infections that like to mark every file hidden(Often seen with Trojan.FakeHDD).

OTL - Link with info page, as stated like HiJackthis on steroids

Gparted - A bootable CD/USB partition editor - useful for the TDSS/0Access variants that create a hidden, bootable, non-deletable partition. Usually less than 10MB and visible on diskmgmt.msc Delete the TDSS partition, set the windows bootable, then run TDSS killer.

rkill - Kills many known malware processes allowing you to remove them, very useful for stuff that still starts in safe mode

unhide - Useful after a Trojan.FakeHDD infection as many of the varients set every file as hidden, Roguekiller can do it too

Nirsoft.net - So many free tools, many useful in windows active directory enviroments, favorite include ProduKey - pulls license keys for many microsoft products, network compatible. AsteriskLogger, WirelessPassView, MailPV, SniffPass, and more, all password recovery tools, anti-virus tends to delete all them so disable it. ShellExView allows you delete stuff out of your right click content menus, very cool. USBDevice, lets you view USB devices and set drivers, useful for Android rooting. NK2Edit - lets you edit, import, export, etc the Outlook auto-complete files, very useful as users are often times idiots and use autocomplete for their contacts and it doesn't get backed up. Lots of other cool stuff too.

Process Explorer - Sysinteral's best utilty, great for performance issues and finding file permission problems, and infections. Plenty of tutorials on the web.

Rootkit Revealer - Sysinternal's rootkit utility, bit dated these days but I still use it now and then.

WinDGB - Microsoft's now obsoleted official debugging tools. Wanna analyze a BSOD and have a crash dump, here is how you do it. Plenty of tutorials on the web for it.

PSTools - Sysinternal's command line utility. Lets you run any binary on any computer in a domain environment, including remote command prompt. Very useful with NirSoft's NirCMD, use these two all the time.

Malware Byte's Antimalware(MBAM) - The cat's meow, removes all sorts of infections, paid for version optional. Run this after ComboFix.

CCleaner - Great for removing temporary files, you can use the registry section if you want, not really needed.

Defraggler - Great replacement for the windows defragger, run msconfig, ccleaner, remove all your restore points, and run defraggler, general tune-up with just that.

NoScript - This stops all JavaScript/Flash/etc from running without being allowed first, available on Firefox and Chrome. People who get repeat infections get this, plus some training on using it. Blocks 90% of PEBKEC infections with five minutes of training.

ntpasswd - Bootable CD that lets you reset windows password, doesn't work for Active Directory/Domain password.

ntregopt - Reduces the size of the registery, rarely used these days as only Win9x/ME had issues with large hives. Every once in a blue moon I'll seen an XP machine where the software hive has grown over 150MB and I'll run ccleaner to remove dead links and ntregopt to actually reduce the size of the hive. Also has ERUNT, which is a scriptable utility for backing up/restoring all of the hives, used by ComboFix.

YUMI - Easy way to create a bootable USB drive with multiple boot options, including booting multiple ISOs and Windows Vista/7 installers.

McAffee, Norton, AVG removal tools - Seems like half the time Norton won't clean uninstall itself on a clean machine, on an infected machine lots of AV software will fail the builtin uninstaller or it won't run from Safe mode.

nlite - Lets you take an XP .iso and ripout services, languages, drivers, and insert drivers, service packs, hotfixes, etc. The XP .iso for my work laptop is 203MB, 13 running processes on boot. There is also vLite for Vista which *kinda* of works for Windows 7 as well.

Angry IP Scanner - Great little IP scanner, quick, tiny, most AV software deletes it on sight.

SpaceMonger - Great free visual file size utility - lots of other free ones out there that review better but I've been using this one for years and it's only 100KB.

 

Side note, if you disable your antivirus and run ComboFix and it fails to finish, you're just about guaranteed to be infected

If you do use it, consider making a donation, the guy spends a ridiculous amount of time keeping it up to date and working.

Edited September 24, 2012 by amertrash