Combofix breaks internet

canadian69

Distinguished
May 1, 2010
9
0
18,520
Ran into an interesting computer issue today (Win XP sp3), this machine has some sort of redirect spyware/malware running on it, which takes the user to web pages that they don't wish to visit. Malwarebytes didn't detect anything nor did Symantec Endpoint. I am running the MSR.exe right now, but thus far no infections have been found, browser behavior clearly disputes this.

SO anyway I went to run combofix, but it wont run (yes I have the latest), it extracts, updates and fails on the restart. I have tried running it in safe mode as well, but can't get it to launch properly. My conclusion is this machine has some malware capable of messing with combofix.

I also noticed a strange effect each time I try to run combofix, it temporaily kills my wifi, I am still connected, but the network icon disappears from the system tray, I have to go through control panel to get it back and after this Firefox no longer connects. I tried flushing the DNS, no go, restarting brings the network back up, but I am still saddled with the redirect issue.

Notably, there is nothing in the process list that seems strange. There is nothing wrong with the host file or with the network config. Nothing jumps out in the hijackthis log.

Any ideas?
 
Solution
So it seems that TDSS killer found whatever malware it was causing the problem (Win32.ZAccess.aml), once that was cleaned and rebooted, combofix was able to run correctly and found a pile of other stuff.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\app
c:\documents and settings\Admin\Application Data\app\Jerakine_lang.dat
c:\documents and settings\Admin\Application Data\app\Jerakine_lang_vesrion.dat
c:\documents and settings\Admin\Application Data\vso_ts_preview.xml

System running fine now.

PhilFrisbie

Distinguished
It is likely some malware has installed a layered service provider (LSP) that is highjacking DNS requests. You can help confirm this by using another browser, and if you get the same redirects then it is not simply an infected browser.
 

canadian69

Distinguished
May 1, 2010
9
0
18,520
I have tried Chrome and Opera and IE and they all seem to be working, however the redirects are intermittent with FF 13.0.1 so I can't confirm 100%.

So if we assume that FF is compromised somehow, I still have the remaining issue of not being able to run Combofix (not even in safe mode). I recognize that this may be coincidental and caused by some other issue, but we know that the browser is redirecting due to some piece of malware, yet nothing detects it and I can't run the tool that arguably works best, lol.

Where to from here I wonder?
 

canadian69

Distinguished
May 1, 2010
9
0
18,520
So it seems that TDSS killer found whatever malware it was causing the problem (Win32.ZAccess.aml), once that was cleaned and rebooted, combofix was able to run correctly and found a pile of other stuff.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\app
c:\documents and settings\Admin\Application Data\app\Jerakine_lang.dat
c:\documents and settings\Admin\Application Data\app\Jerakine_lang_vesrion.dat
c:\documents and settings\Admin\Application Data\vso_ts_preview.xml

System running fine now.
 
Solution