WARNING: Do NOT run ComboFix
Trogan
London, UK
The creator of ComboFix, sUBs, has encountered a Rootkit that will cause ComboFix to recursively delete all files from SystemDrive.
This is what he had to say:
Information will be posted when received.
Instead of CF We can use Comboscan
Download ComboScan to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please attach Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
Canned:
The user downloads a single executable and runs it. ComboScan gives your standard warnings, then does the following (in order):
In all, it takes anywhere from 1-5 minutes to do all the above, depending on the system.
This is what he had to say:
If you try to download ComobFix, you will only receive a text file saying:I have just encountered a rootkit that will cause CF to recursively delete all files from SystemDrive.
Pulling the tool till further notice.
Please inform your users not to use CF. Who knows if that rootkit is in there.
Please spread the word. Also have users delete their copies of CF
If you have ComboFix present, please delete it from your computer immediately.The tool, ComboFix has been temporarily withdrawn.
The author discovered a rootkit infection that will intefere with ComboFix's running.
This will cause Combofix to be UNSAFE FOR USE on your machine.
Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL
Apologies for any inconvenience caused
Information will be posted when received.
Instead of CF We can use Comboscan
Download ComboScan to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please attach Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
Canned:
[PHP]Download ComboScan to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please attach Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so[/PHP]. .
The user downloads a single executable and runs it. ComboScan gives your standard warnings, then does the following (in order):
1. Logs if the computer is in Normal Mode, Safe Mode, or Safe Mode with Networking. No more guessing!
2. Creates a restore point (Normal Mode XP and Vista only). Will try to re-enable System Restore if it was disabled.
3. Cleans Temporary Files, Downloaded Program Files, Internet Cache Files, and empties the Recycle Bin on all drives.
4. Searches for HijackThis on the system. If it cannot find it, it will ask the user permission to download a copy from greyknight17.com. The user also has the option of telling ComboScan where their copy of HijackThis is if they have already downloaded it.
5. Renames HijackThis based on the login name and gets a log using the /autolog parameter, closing both HijackThis and the Notepad without requiring interaction from the user.
6. Lists out HJT entries that the user has hidden.
7. Lists out HJT backups.
8. Dumps file associations (similar to SREng) and will highlight in red if something doesn't match up.
9. Dumps drivers (whitelisted) and tests for pe386/Rustock.
10. Dumps services (again, whitelisted).
11. Dumps the Scheduled Tasks folder.
12. Prints files created in the past 30 days and files modified in the past 90 days, similar to ComboFix.
13. Dumps various registry load points with whitelist (very similar to ComboFix).
14. Gets basic system information, such as number of CPUs, memory usage, drive information (filesystem type, space).
15. Dumps Security Center information (if appropriate).
16. Dumps DOS environment variables.
17. Lists all user profiles on the system (and says which are administrative accounts).
18. Dumps Add/Remove programs, looking in both HKLM and HKCU. Common Microsoft entries are whitelisted.
19. Turns off word wrap in Notepad.
20. Unhides files and shows extensions.
21. Opens the logs in Notepad for the user to post.
In all, it takes anywhere from 1-5 minutes to do all the above, depending on the system.
- ComboScan produces two logs. The primary log contains everything up to and including the registry dump, and the supplementary log contains everything else. You can find both logs in C:\ComboScan.
Some additional notes:
== - If ComboScan downloads and installs HijackThis for the user, installs it as
- %PROGRAMFILES%\HijackThis\HijackThis.exe and creates a shortcut for the user on their Desktop.
- If ComboScan cannot download HijackThis and the user doesn't have a copy of HijackThis for ComboScan
- to use, ComboScan will produce a HijackThis-esque log. They will still need to install HijackThis or you will
- need to manually fix the system as ComboScan does not provide this ability. happy.gif
There is a command switch, /config, that will allow you to pick and choose which modules you want ComboScan to use. - When ComboScan is run for the first time, it will produce a full set of logs. Each subsequent run will only
- produce a HijackThis log along with a file and registry dump (no restore point or cleanup is performed). If
- you want something else -- like the driver dump -- you will need to have the user run ComboScan with /config. If the user downloads and runs a newer copy of ComboScan, it will produce a full set of logs again the first time the new copy is run.
0
This discussion has been closed.