Thursday, November 17, 2011

Honorable Mention: ComboFix

Yesterday, I had a run-in with a virus. The very first popup which said something was wrong already had the looks of not being legitimate to me, but then everything became very obvious as the virus started to get in my way whenever it could and tried to keep me from doing just about anything on my pc.

I'm good with computers and good with Windows (well, XP anyway, and that's what I'm running), so I managed to find the one way they had left open and knew how to get just about anything done from that little window I had.
I found that my files where being hidden and that it set my settings not to display any hidden files every few minutes for as long as the virus was running. I had to jump through quite a few hooks, but finally I managed to tell my updated firewall/antivirus (I used the combined term, as I was actually using a third tool: the active defense) software to terminate the virus's process and ban it from starting up again.

I fixed a few things that I the virus had left in a bad state, ran a full virus scan over my entire computer and used sfc /scannow to have Windows recover any damage to core files done by the virus. (I am pretty sure it did stuff with ping.exe somewhere along the road...)

I was still leaved with an incomplete system: my all programs menu in the start menu was wrecked and it had also been messing around with the shortcuts on my desktop and in quick start. Additionally, my virus scanner appeared not to have found the virus, so it was still there even though it was being blocked from running.

I looked for something to fix the missing shortcuts. I found a note somewhere that ComboFix did things like that.
ComboFix far surpassed my expectations. Seriously, it mentioned a few things it was going to have to remove, but moreover I found in the logs that it had removed both executables I had identified as malicious myself. Additionally, it removed shortcuts to its "cover-up" the System Fix program the virus was saying I had to purchase the full version of.
However, it did also fix Quick Start, All Programs and my desktop. I don't know how it did that - is the information which enough to rebuild those stored in the registry or something? That would explain why some applications didn't return properly (I was already assuming that they were the ones not doing things properly rather than ComboFix). It would be a bit redundant, but right now, I'm not second-guessing the situation. Everything is fixed. All because of ComboFix!

Thanks, ComboFix!

