Combofix stalls

Hello,

On old laptop with Win7 SP1 32 bit), all MS windows update secu patches applied, recently started having problems with occasional freezes of about 10 seconds duration (on whatever application was running, MS Word, browser....). High level of CPU activity for the duration of the freeze. No obvious malware, nothing strange in process monitor. AVGFree does not report any problem, and completes a complete scan with no problems.

Ran MWBytes with latest definitions, found 2 items, hiding in non system-critical files:
- Trojan.ransom.gen
- Backdoor.IRCBot.FB
Removed these using MWBytes.

Uninstalled AVGFRee.

Rebooted.

Ran MWBytes antirootkit (mbam 10.07.0.1008, with DB v2013.12.25.03.
Nothing found.

Ran Kaspersik antirootkit, tdsskiller.
Found compromised sptd.service. Quarantined (I can reinstall the software).

rebooted.

Tried running Combofix. It stalls just after letting you know that the scan can take over 10 minutes. Does not get to showing scan stages. No clock change. Waited one hour and no change. ALT CNTL DEL disabled (by malware?) when Combofix run. Hard reboot needed to go anywhere. Tdsskiller scan was clean when run a second time.

Tried running DDS, it stalls too with the progress bar at about 3/4 and "Please wait..." No log file generated.

Laptop has Linux installed as well, Linux bootloader. See ASWMBR scan log (clean) for details.

Suggestions anyone? Thanks!

////// ASWMBR SCAN LOG //////////////////////////

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-25 09:35:53
-----------------------------
09:35:53.678 OS Version: Windows 6.1.7601 Service Pack 1
09:35:53.678 Number of processors: 1 586 0xD06
09:35:53.688 ComputerName: T42-WIN7 UserName: T42-Win7
09:35:54.349 Initialize success
09:51:13.186 AVAST engine defs: 13122500
10:09:31.285 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:09:31.295 Disk 0 Vendor: SAMSUNG_HM160HC LQ100-10 Size: 152627MB BusType: 3
10:09:31.425 Disk 0 MBR read successfully
10:09:31.445 Disk 0 MBR scan
10:09:31.465 Disk 0 unknown MBR code
10:09:31.475 Disk 0 Partition 1 00 17 Hidd HPFS/NTFS 219 MB offset 63
10:09:31.495 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 60466 MB offset 453600
10:09:31.525 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 81000 MB offset 124291440
10:09:31.545 Disk 0 Partition - 00 05 Extended 10936 MB offset 290183101
10:09:31.575 Disk 0 Partition 4 00 82 Linux swap 2034 MB offset 290183103
10:09:31.595 Disk 0 Partition - 00 05 Extended 8902 MB offset 294349104
10:09:31.645 Disk 0 scanning sectors +312581808
10:09:31.676 Disk 0 scanning C:\Windows\system32\drivers
10:09:52.736 Service scanning
10:10:36.819 Modules scanning
10:10:46.824 Disk 0 trace - called modules:
10:10:46.854 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
10:10:46.874 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86e624c8]
10:10:46.894 3 CLASSPNP.SYS[8aeab59e] -> nt!IofCallDriver -> [0x860c3608]
10:10:46.914 5 ACPI.sys[8a6273d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x860bf610]
10:10:47.294 AVAST engine scan C:\Windows
10:10:51.911 AVAST engine scan C:\Windows\system32
10:16:38.956 AVAST engine scan C:\Windows\system32\drivers
10:17:14.527 AVAST engine scan C:\Users\T42-Win7
10:23:59.670 AVAST engine scan C:\ProgramData
10:26:10.008 Scan finished successfully
10:49:09.632 Disk 0 MBR has been saved successfully to "C:\Users\T42-Win7\Desktop\MBR.dat"
10:49:09.652 The log file has been saved successfully to "C:\Users\T42-Win7\Desktop\aswMBR.txt"

 

Hi Paynor,

Try running Combofix in Safe Mode..

If it works post the log and I can help you clean the rest.

or if it don't, we'll try sompthing else

2oG

 

ddp - it's a backdoor bot - Backdoor.IRCBot.FB

this one stops combofix and DDS from running...

if he can get combo to run in safe mode it may get the bad part of it.

it allows remote access to the computer. BAD GUY!!!

p.s. he also has a post for help on malwarebytes.org - they are good with these.

 

No, it has nothing to do with the updates,
MB.org has been using Farbar Recovery Scan Tool to fix it but I haven't been there in so long I have no training using it. but last one I ran across combofix and OTL plus some scanners took care of it.

Hope MR.org don't see his post on here.

 

They don't like multiple posts. it gets people screwed up on the order of removal. they want you to delete all other posts before they will help.

 

To them it is..
they're not as loose as we are. 1 victim and 1 helper on a thread no peanut gallery.
No P2P software installed, no cracks keygens or illegal operating systems. no business machines etc. etc. etc.

he he been there, done that.

 

2oG - Same problem in ComboFix running Win in safe mode. ComboFix freezes, after a little burst of HD activity. ALT CTL DEL disabled. Waited half hour. No system clock change. Combofix does not get to the point where it shows the stages.

 

ddp - I dont think so, it started several weeks ago (dont remember when in relation to Windows Update run), but I initially thought it was just because the HD was getting too full. However, freeing up HD space did not help, so then I started looking for malware.

 

This one is a real bear to get out...

Try this:

Download rkill and run it before running combofix it will stop the running processes that are keeping combo and DDS from running.

If you reinstalled AVG, disable it before running Combofix in regular mode.
Don’t reboot after running rkill – you will have to run it again. It will just flash a black box when it runs. I think? Haha been a long time
Rkill:
http://www.majorgeeks.com/mg/get/rkill,1.html

2oG

p.s. pls post the log

 

Did not reinstall any AV software, pc is still not running any AV.

I ran rkill first time, the scan result contained the following line:
"* HKLM\Software\Classes\.exe\shell found and deleted!"
The log file was overwritten when I ran rkill the second time, so have only the second rkill log here:
******************************************************************
Rkill 2.6.4 by Lawrence Abrams (Grinler)
link removed for posting
Copyright 2008-2013 BleepingComputer
More Information about Rkill can be found at this link:

link removed for posting

Program started at: 12/26/2013 08:13:57 PM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com

Program finished at: 12/26/2013 08:15:18 PM
Execution time: 0 hours(s), 1 minute(s), and 20 seconds(s)

****************************************************************

Then tried Combofix one more time (in normal mode). Same freeze problem as before.

 

Like I said, this honey's a bear...

Let's see if you can run OTL:


--OTL--

Please download OTL by OldTimer to your Desktop.

If you already have a copy of OTL, delete it and use this version.

Double click OTL.exe to launch the program.

Check the following.
Scan all users.
Standard Output.
Lop check.
Purity check.
Under Extra Registry section, select Use SafeList
Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).

When finished it will produce two logs.
OTL.txt (open on your desktop).
Extras.txt (minimized in your taskbar)

Please post me both logs

2oG

 

Thanks for staying on this. Have tried posting the 2 log files, but I get a server error msg from the forum each time.

 

Trying to split into text sections to see if that helps the server errror:
section #1

OTL logfile created on: 27/12/2013 07:19:22 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\T42-Win7\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16750)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.64% Memory free
4.00 Gb Paging File | 3.02 Gb Available in Paging File | 75.53% Paging File free
Paging file location(s): c:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 59.05 Gb Total Space | 15.56 Gb Free Space | 26.35% Space Free | Partition Type: NTFS
Drive D: | 79.10 Gb Total Space | 3.96 Gb Free Space | 5.01% Space Free | Partition Type: NTFS
Drive F: | 3.61 Gb Total Space | 1.33 Gb Free Space | 36.85% Space Free | Partition Type: FAT32

Computer Name: T42-WIN7 | User Name: T42-Win7 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/12/24 19:36:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\T42-Win7\Desktop\OTL.exe
PRC - [2013/11/12 15:28:02 | 001,144,544 | ---- | M] (Druide informatique inc.) -- C:\Program Files\Druide\Antidote 8\Programmes32\AgentAntidote.exe
PRC - [2013/10/01 07:14:40 | 005,087,584 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
PRC - [2013/09/05 09:04:00 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/08/02 03:08:22 | 000,692,328 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2013/05/28 11:50:02 | 000,218,112 | ---- | M] () -- C:\Program Files\GNU\GnuPG\dirmngr.exe
PRC - [2012/11/22 21:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2011/12/23 12:33:08 | 000,134,416 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2011/12/09 12:47:36 | 000,726,912 | ---- | M] (FileOpen Systems Inc.) -- C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
PRC - [2011/11/04 14:37:16 | 000,330,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2011/10/20 09:58:46 | 000,101,440 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
PRC - [2011/07/12 17:03:32 | 000,069,568 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2011/07/12 16:17:04 | 000,138,680 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2011/07/12 15:54:02 | 000,127,336 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
PRC - [2011/07/12 15:53:48 | 000,131,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe
PRC - [2011/07/12 15:53:18 | 000,142,696 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/04 10:42:58 | 002,411,520 | ---- | M] (GoldenDict) -- C:\Program Files\GoldenDict\GoldenDict.exe
PRC - [2010/10/27 12:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/08/25 04:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/07/04 19:07:40 | 000,238,952 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe
PRC - [2010/03/18 04:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/11/24 10:25:34 | 004,463,400 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\Wacom_Tablet.exe
PRC - [2009/11/24 10:25:34 | 001,823,528 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\WTablet\Wacom_TabletUser.exe
PRC - [2009/11/09 06:48:34 | 000,054,632 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\cammute.exe
PRC - [2009/09/23 09:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
PRC - [2007/03/26 09:00:26 | 000,069,632 | ---- | M] (Software 2000 Limited) -- C:\Windows\System32\spool\drivers\w32x86\3\HP1005MC.EXE
PRC - [2003/03/19 13:24:00 | 000,045,056 | ---- | M] (GNU) -- C:\Program Files\SC_TOOLS\visualCVS_server\exec\windows\cvsNt\cvsservice.exe
PRC - [2003/03/19 13:24:00 | 000,045,056 | ---- | M] () -- C:\Program Files\SC_TOOLS\visualCVS_server\exec\windows\cvsNt\cvslock.exe


========== Modules (No Company Name) ==========

MOD - [2013/08/07 14:25:24 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2013/07/27 15:50:30 | 016,547,328 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\10ac4ed5a22a4882529e01cf7bd8b895\mscorlib.ni.dll
MOD - [2010/12/03 16:03:12 | 000,007,168 | ---- | M] () -- C:\Program Files\GoldenDict\GdTextOutSpy.dll
MOD - [2010/12/03 06:37:48 | 000,378,880 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qtiff4.dll
MOD - [2010/12/03 06:37:48 | 000,351,744 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qmng4.dll
MOD - [2010/12/03 06:37:48 | 000,286,720 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qjpeg4.dll
MOD - [2010/12/03 06:37:48 | 000,083,456 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qico4.dll
MOD - [2010/12/03 06:37:46 | 000,083,456 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qgif4.dll
MOD - [2010/12/03 06:32:46 | 000,399,360 | ---- | M] () -- C:\Program Files\GoldenDict\QtXml4.dll
MOD - [2010/12/03 06:32:40 | 000,344,576 | ---- | M] () -- C:\Program Files\GoldenDict\phonon4.dll
MOD - [2010/12/03 06:32:28 | 017,314,816 | ---- | M] () -- C:\Program Files\GoldenDict\QtWebKit4.dll
MOD - [2010/12/03 06:32:22 | 001,149,440 | ---- | M] () -- C:\Program Files\GoldenDict\QtNetwork4.dll
MOD - [2010/12/03 06:32:18 | 000,043,008 | ---- | M] () -- C:\Program Files\GoldenDict\libgcc_s_dw2-1.dll
MOD - [2010/12/03 06:32:12 | 000,011,362 | ---- | M] () -- C:\Program Files\GoldenDict\mingwm10.dll
MOD - [2010/12/03 06:32:00 | 009,889,792 | ---- | M] () -- C:\Program Files\GoldenDict\QtGui4.dll
MOD - [2010/12/03 06:31:58 | 002,543,616 | ---- | M] () -- C:\Program Files\GoldenDict\QtCore4.dll
MOD - [2009/05/16 00:22:42 | 000,716,800 | ---- | M] () -- C:\Program Files\Samsung\Samsung PC Studio 7\PCSCM_Samsung.dll
MOD - [2008/12/06 01:41:50 | 000,619,008 | ---- | M] () -- C:\Program Files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll
MOD - [2005/04/19 18:38:00 | 000,396,288 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL

 

Hold on to those Logs and should be able to post them later...

The Backdoor you have is NOT a rootkit but it hides like one, so please run MBAR and see if it catches it...
--Malwarebytes Anti-Rootkit--

Please download Malwarebytes Anti-Rootkit
• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

When done, please attempt to post the OTL logs you have and the MBAR folder..... mbar-log.txt and system-log.txt

2oG

 

Very strange!
Even with html links removed, and split into small text sections, I still get the internal server error from AfterDawn after pasting any further sections of the log files as text. I dont see any option for posting them as attachments on the AfterDawn forum.

Then I tried posting them as attachments to my post on the MWBytes forum, but the file upload fails there too. Strange for a 150 KB text file.
"Extras.Txt
This upload failed"

All these attempts are from another (probably clean!) computer.