Can't Download combofix and others

[hnic]

My computer recently became infected this has happened before so i kinda knew the path i needed to take i ran smitfraudfix and Mbam and all the problems are still here so i weant to go download combofix but i can't download it it just brings me to a window saying Failed to connect and can't establish a connection the same goes for not sure how it's spelled but keospry scanner or something like that and also the site bleepingcomputer.com. Any Help would be amazing Thanks.

[evilfantasy]

Start here. http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095

Post what logs you can. Without logs there isn't much we can do.

[hnic]

1.Unable to Download any Antivirus program.
2.Unable to Remove any known unwanted programs.
3.Downloaded CCleaner and ran the program.
4.Unable to download SUPERAntiSpyware
5.Ran MBAM found 2 infections (Ran it also last night in safe mode and found and deleted 7 infections. let me know if you would like that log as well.)
6.Tried to download new Java but says it needs to be opened with an application not sure what to open it with.
7.Unable to download HiJackThis


MBAM LOG

Code: [Select]

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 34756
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Delete on reboot.


[evilfantasy]

See if you can download ComboFix.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[hnic]

I am unable to download Combofix.
Is their any other link to download it?

[evilfantasy]

Here. Follow this link and download the zip file to the Desktop unzip and run it from there.

http://www.filedropper.com/combofix

[hnic]

I was able to get it to my Desktop but when i tried to download it it said ComboFix found a rootkit and must restart it did that about 3 times. 

[evilfantasy]

Did you turn off you antivirus before trying to run ComboFix? Or did it finish running?

[hnic]

I don't have any Anti Virus on this computer except for the pop-up when i start up which is apart of the infection.
i double clicked and it had the little combofix with progress bar below it it finishes or appears to and that's when the rootkit problem will pop-up or nothing at all will happen.

[evilfantasy]

Does ComboFix go through the stages? There are like 30 of them, or does it not get that far?

[hnic]

It doesn't get that far the only thing it does is i'm guessing the very first step like right after you click it to open it up.

[evilfantasy]

Download SDFix by AndyManchesta and save it to your desktop. http://www.filedropper.com/sdfix_1

Print out these instructions or copy them into a Notepad file and then save them to your desktop so you can read them in Safe Mode


When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply .

[hnic]

I tried to download it and when i go to open the file it says windows has encountered a problem and needs to close. Is this the same file as SmitFraudFix? Because i had that previously installed.

[evilfantasy]

No it's different.

Try this and then try downloading again.

Go to download the program HostsXpert

• Unzip HostXpert to your Desktop
  
• Open up the HostXpert program.
  
• Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
  
• Click Create Back Up
  
• Then click on Restore Microsoft's Host Files
  
• Close the HostXpert program

.
----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

[hnic]

The Link to that first download doesn't exist it says. 

[evilfantasy]

http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=

[hnic]

It says windows has incountered a problem once again.

[evilfantasy]

Try the second one first.

[hnic]

Can't get to the second link says can't establish connection to that site...

[evilfantasy]

Try from here.

http://www.filedropper.com/hostsxpert

http://www.filedropper.com/fixpolicies

[hnic]

Downloaded both to desktop neither would open is again says Windows has incountered a problem and needs to close.... This infection is insane.

[evilfantasy]

See if you can boot into safe mode and run them. Also try ComboFix from Safe Mode.

[hnic]

Tried it in safe mode same problems...

[evilfantasy]

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.
 

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[hnic]

can't establish connection to that link.

[evilfantasy]

Try doing a system restore to before this happened.

[evilfantasy]

Did you say you have Smitfraudfix installed? I need some sort of log.

You may want print out these instructions or copy and paste them to Notepad then save the Notepad file to the Desktop as you will not be able to see this page while in Safe Mode

• Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
  
• Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.
• Select option #2 - Clean by typing 2 and press Enter.
  
• The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish.
• This process can take some time depending on your computer, so please be patient.
• When it is complete, it will close automatically and you should continue with next step.
• You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
  
• The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file.
  
• Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
  

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Warning: Running option #2 on a non infected computer will remove your Desktop background.

Suggested Step:

• To restore Trusted and Restricted site zone, select 3 and hit Enter.

• You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.

• Now reboot into normal mode and post this new rapport.txt in the next post.

• WARNING[/COLOR] Running this option on a non infected computer will remove the desktop background. So only run it once!

[hnic]

My Internet went down sorry for the delay.

SmitFraudFix Log

Code: [Select]

SmitFraudFix v2.329

Scan done at 18:49:10.11, Sun 08/31/2008
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{643CBB29-DC7F-43A0-BB46-95F76804F727}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{643CBB29-DC7F-43A0-BB46-95F76804F727}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{643CBB29-DC7F-43A0-BB46-95F76804F727}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



[evilfantasy]

Did you do the Suggested Step: To restore Trusted and Restricted site zone, select 3 and hit Enter? And did that help with downloading anything?

[evilfantasy]

Do you have another user account you can try to download and use these tools from, specifically ComboFix. If not can you create one and try.

[hnic]

I didn't hit 3 i will now though. And i'll let you know after i create another account.

[hnic]

k hit 3 and made a new account altough i still couldn't download combofix.

[evilfantasy]

Try this. If it doesn't work then you may be looking at a reformat and reinstall.

Close all other browser windows.
 
Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall