System Fix, iExplore, Combofix problem

Hi,

I have managed to get System Fix on my PC. I run Avira and saw a couple of virus warnings,the next thing is it had System Fix, apart from Outlook running I wasn't doing anything and I had previously removed any junk emails using a pop checker. I ran iExplore.exe from Bleeping Computer and I already had Malware Bytes installed.

After several tries iExplore and MBAM removed all of the viruses they could find, but I still had a problem with browser re-direct.

I downloaded unhide and ran this as well, which restored my icons and menus.

I downloaded TDSSKiller, but this fails to run. I then saw some notes about Combofix and how this can detect rootkit virus so downloaded it and ran it.

The first time it went through it mentioned that MS System Revory wasn't installed so I installed that and then it displayed two dialog boxes one said

Combofix - ZeroAccess
You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.


It then ran some more and another dialog pop up

ROOTKIT

Rootkit is detected

Be patient as this may take some moments.


The program continued to run and then after some time the hard disk access stopped and finally the PC just locked up, first no keys would work, but the mouse would, then the mouse stopped working, probably after about 40 mins from first starting Combofix.

I ran it a couple of more times, but didn't see the error messages and about 10 minutes after the hard disk stops it crashes. I see Combofix unpack and then a command window opens saying

------------------------------------------------------
Please wait.
Combofix is preparing to run.

Attempting to creat a new System Restore Point
------------------------------------------------------

And then another window pops up with progress bars saying it is backing up the registry.

Then the command window clears and displays
------------------------------------------------------
Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double
------------------------------------------------------

The hard disk lights for around 20 minutes and it is after this the PC freezes.

I just thought I have mapped network drives, perhaps Combofix is trying to scan those and failing? I have also turned Avira off, but Combofix still comes up with the warning, perhaps I should un-install?


I think it still has the same virus. All of these tests were mostly run in Normal mode but with no Internet connection. Should I have run these in Safe Mode?

I had tried a System Restore after getting rid of System Fix, but this either didn't run in the first place or when the PC re-booted, System Restore said nothing had changed and the restore had failed.

Any suggestions would be gratefully received.

 

Hi,

Thanks for the suggestions.


I decided to run another scan, my PC rebooted, but then complained it was missing Hal.dll. After booting from an NTFS cd I couldn't get any further so had to put the Windows CD in and perform a restore.

It did this and now the PC boots but it says the Registry is corrupt. The registry folder has entries but they are all .SAV

When I ran Combofix it made a back up of the registry but I don't know where it put it or how to restore. Any suggestions would be welcome as I can't proceed with your suggestions until I can get it booting back into Windows.

Robin

 

Hi,

I have my machine back on, a combination of an NTFS boot disk and a repair install.

I still have the browser redirect, antizero says it's all clear, ESETSirefef runs but doesn't find anything.

MGTools doesn't run, it complains of 'find' not been available.

IExplore.exe now doesn't run correctly, it gets so far through and crashes.

Combofix also doesn't run, it complains about been run in compatibility mode, which is not set.

I also can't start Task Manager, there are at last two DLLs missing, I can probably put these in from another XP PC.

Any suggestions would be gratefully received?

 

Hi Tim,

Thanks for your help. I couldn't run TDSSKiller when booting from the C drive, it just didn't do anything.

I did run MBRCheck and it found an MBR virus, non standard hash key. I have saved the log file and as soon as my PC has finished restoring my virus scanner I will post it.

I did have an idea, I have an NTFS boot/utility disk, it boots the PC from the CDROM and gives a limited set of tools. TDSSKiller ran under this and it found a rootkit virus, which it removed. I didn't make a note of which one but when I rebooted and reran TDSSKiller, it said everything was okay. I also reran MBRCheck and it didn't find anything. Combo fix wouldn't run under this and neither did MBRCheck but TDSSKiller seems to have done the trick.


I still can't run Combo fix, it complains about Compatibility mode, but non of the other scanners seem to find anything. Does this mean I have now got rid of all of the problems or should I be able to run Combo fix and get a log file?
My browser now doesn't redirect on a Google search and all of the excess hard disk activity seems to have stopped.

Regards

Robin

 

Hi Tim,

I am not sure if it is cracked or not. I can't get MGtools to run and unfortunately the window closes before I can see anything.

Combo fix doesn't run, it complains of been in 'Compatibility Mode'.

IExplore.exe (RKill) doesn't run correctly either, it seems to either complain about not been able to access something or just closes.

I am also trying to re-install my Virus Scanner (Antivir), but it unpacks everything and then crashes whilst it runs a soft compatibility test.

Not sure if you can recommend a good virus scanner/firewall?

Anyway, I have managed to get my MBR file off the machine and attached.

Regards

Robin