1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Combofix stalls

Discussion in 'Windows - Virus and spyware problems' started by Paynor, Dec 25, 2013.

  1. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    On old laptop with Win7 SP1 32 bit), all MS windows update secu patches applied, recently started having problems with occasional freezes of about 10 seconds duration (on whatever application was running, MS Word, browser....). High level of CPU activity for the duration of the freeze. No obvious malware, nothing strange in process monitor. AVGFree does not report any problem, and completes a complete scan with no problems.

    Ran MWBytes with latest definitions, found 2 items, hiding in non system-critical files:
    - Trojan.ransom.gen
    - Backdoor.IRCBot.FB
    Removed these using MWBytes.

    Uninstalled AVGFRee.

    Rebooted.

    Ran MWBytes antirootkit (mbam 10.07.0.1008, with DB v2013.12.25.03.
    Nothing found.

    Ran Kaspersik antirootkit, tdsskiller.
    Found compromised sptd.service. Quarantined (I can reinstall the software).

    rebooted.

    Tried running Combofix. It stalls just after letting you know that the scan can take over 10 minutes. Does not get to showing scan stages. No clock change. Waited one hour and no change. ALT CNTL DEL disabled (by malware?) when Combofix run. Hard reboot needed to go anywhere. Tdsskiller scan was clean when run a second time.

    Tried running DDS, it stalls too with the progress bar at about 3/4 and "Please wait..." No log file generated.

    Laptop has Linux installed as well, Linux bootloader. See ASWMBR scan log (clean) for details.

    Suggestions anyone? Thanks!

    ////// ASWMBR SCAN LOG //////////////////////////

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-12-25 09:35:53
    -----------------------------
    09:35:53.678 OS Version: Windows 6.1.7601 Service Pack 1
    09:35:53.678 Number of processors: 1 586 0xD06
    09:35:53.688 ComputerName: T42-WIN7 UserName: T42-Win7
    09:35:54.349 Initialize success
    09:51:13.186 AVAST engine defs: 13122500
    10:09:31.285 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    10:09:31.295 Disk 0 Vendor: SAMSUNG_HM160HC LQ100-10 Size: 152627MB BusType: 3
    10:09:31.425 Disk 0 MBR read successfully
    10:09:31.445 Disk 0 MBR scan
    10:09:31.465 Disk 0 unknown MBR code
    10:09:31.475 Disk 0 Partition 1 00 17 Hidd HPFS/NTFS 219 MB offset 63
    10:09:31.495 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 60466 MB offset 453600
    10:09:31.525 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 81000 MB offset 124291440
    10:09:31.545 Disk 0 Partition - 00 05 Extended 10936 MB offset 290183101
    10:09:31.575 Disk 0 Partition 4 00 82 Linux swap 2034 MB offset 290183103
    10:09:31.595 Disk 0 Partition - 00 05 Extended 8902 MB offset 294349104
    10:09:31.645 Disk 0 scanning sectors +312581808
    10:09:31.676 Disk 0 scanning C:\Windows\system32\drivers
    10:09:52.736 Service scanning
    10:10:36.819 Modules scanning
    10:10:46.824 Disk 0 trace - called modules:
    10:10:46.854 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
    10:10:46.874 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86e624c8]
    10:10:46.894 3 CLASSPNP.SYS[8aeab59e] -> nt!IofCallDriver -> [0x860c3608]
    10:10:46.914 5 ACPI.sys[8a6273d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x860bf610]
    10:10:47.294 AVAST engine scan C:\Windows
    10:10:51.911 AVAST engine scan C:\Windows\system32
    10:16:38.956 AVAST engine scan C:\Windows\system32\drivers
    10:17:14.527 AVAST engine scan C:\Users\T42-Win7
    10:23:59.670 AVAST engine scan C:\ProgramData
    10:26:10.008 Scan finished successfully
    10:49:09.632 Disk 0 MBR has been saved successfully to "C:\Users\T42-Win7\Desktop\MBR.dat"
    10:49:09.652 The log file has been saved successfully to "C:\Users\T42-Win7\Desktop\aswMBR.txt"
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi Paynor,

    Try running Combofix in Safe Mode..

    If it works post the log and I can help you clean the rest.

    or if it don't, we'll try sompthing else :)

    2oG
     
  3. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,153
    Likes Received:
    134
    Trophy Points:
    143
    Paynor, did the problem start just after the windows updates?
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    ddp - it's a backdoor bot - Backdoor.IRCBot.FB

    this one stops combofix and DDS from running...

    if he can get combo to run in safe mode it may get the bad part of it.

    it allows remote access to the computer. BAD GUY!!!

    p.s. he also has a post for help on malwarebytes.org - they are good with these. :)
     
    Last edited: Dec 25, 2013
  5. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,153
    Likes Received:
    134
    Trophy Points:
    143
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    No, it has nothing to do with the updates,
    MB.org has been using Farbar Recovery Scan Tool to fix it but I haven't been there in so long I have no training using it. but last one I ran across combofix and OTL plus some scanners took care of it.

    Hope MR.org don't see his post on here.
     
  7. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,153
    Likes Received:
    134
    Trophy Points:
    143
    why?
     
  8. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    They don't like multiple posts. it gets people screwed up on the order of removal. they want you to delete all other posts before they will help.
     
  9. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,153
    Likes Received:
    134
    Trophy Points:
    143
    but if he has 1 post on their site & 1 post on ours then not multi-posting.
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    To them it is..
    they're not as loose as we are. 1 victim and 1 helper on a thread no peanut gallery.
    No P2P software installed, no cracks keygens or illegal operating systems. no business machines etc. etc. etc.

    he he been there, done that.
     
  11. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,153
    Likes Received:
    134
    Trophy Points:
    143
    2 different sites for same problem i call shotgun approach. i do the same when applying for a job in that hit as many places with a resume as possible at once so can always say no to other job offers when you now have a job.
     
  12. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    2oG - Same problem in ComboFix running Win in safe mode. ComboFix freezes, after a little burst of HD activity. ALT CTL DEL disabled. Waited half hour. No system clock change. Combofix does not get to the point where it shows the stages.
     
  13. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    ddp - I dont think so, it started several weeks ago (dont remember when in relation to Windows Update run), but I initially thought it was just because the HD was getting too full. However, freeing up HD space did not help, so then I started looking for malware.
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    This one is a real bear to get out...

    Try this:

    Download rkill and run it before running combofix it will stop the running processes that are keeping combo and DDS from running.

    If you reinstalled AVG, disable it before running Combofix in regular mode.
    Don’t reboot after running rkill – you will have to run it again. It will just flash a black box when it runs. I think? Haha been a long time:)
    Rkill:
    http://www.majorgeeks.com/mg/get/rkill,1.html

    2oG

    p.s. pls post the log
     
    Last edited: Dec 26, 2013
  15. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Did not reinstall any AV software, pc is still not running any AV.

    I ran rkill first time, the scan result contained the following line:
    "* HKLM\Software\Classes\.exe\shell found and deleted!"
    The log file was overwritten when I ran rkill the second time, so have only the second rkill log here:
    ******************************************************************
    Rkill 2.6.4 by Lawrence Abrams (Grinler)
    link removed for posting
    Copyright 2008-2013 BleepingComputer
    More Information about Rkill can be found at this link:

    link removed for posting

    Program started at: 12/26/2013 08:13:57 PM in x86 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * No issues found.

    Checking Windows Service Integrity:

    * No issues found.

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 activate.adobe.com
    127.0.0.1 practivate.adobe.com

    Program finished at: 12/26/2013 08:15:18 PM
    Execution time: 0 hours(s), 1 minute(s), and 20 seconds(s)

    ****************************************************************

    Then tried Combofix one more time (in normal mode). Same freeze problem as before.
     
  16. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Like I said, this honey's a bear...

    Let's see if you can run OTL:


    --OTL--

    Please download OTL by OldTimer to your Desktop.

    If you already have a copy of OTL, delete it and use this version.

    Double click OTL.exe to launch the program.

    Check the following.
    Scan all users.
    Standard Output.
    Lop check.
    Purity check.
    Under Extra Registry section, select Use SafeList
    Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).

    When finished it will produce two logs.
    OTL.txt (open on your desktop).
    Extras.txt (minimized in your taskbar)

    Please post me both logs

    2oG
     
  17. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for staying on this. Have tried posting the 2 log files, but I get a server error msg from the forum each time.
     
  18. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Trying to split into text sections to see if that helps the server errror:
    section #1

    OTL logfile created on: 27/12/2013 07:19:22 - Run 3
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\T42-Win7\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.10.9200.16750)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.64% Memory free
    4.00 Gb Paging File | 3.02 Gb Available in Paging File | 75.53% Paging File free
    Paging file location(s): c:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 59.05 Gb Total Space | 15.56 Gb Free Space | 26.35% Space Free | Partition Type: NTFS
    Drive D: | 79.10 Gb Total Space | 3.96 Gb Free Space | 5.01% Space Free | Partition Type: NTFS
    Drive F: | 3.61 Gb Total Space | 1.33 Gb Free Space | 36.85% Space Free | Partition Type: FAT32

    Computer Name: T42-WIN7 | User Name: T42-Win7 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/12/24 19:36:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\T42-Win7\Desktop\OTL.exe
    PRC - [2013/11/12 15:28:02 | 001,144,544 | ---- | M] (Druide informatique inc.) -- C:\Program Files\Druide\Antidote 8\Programmes32\AgentAntidote.exe
    PRC - [2013/10/01 07:14:40 | 005,087,584 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    PRC - [2013/09/05 09:04:00 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2013/08/02 03:08:22 | 000,692,328 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    PRC - [2013/05/28 11:50:02 | 000,218,112 | ---- | M] () -- C:\Program Files\GNU\GnuPG\dirmngr.exe
    PRC - [2012/11/22 21:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2011/12/23 12:33:08 | 000,134,416 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    PRC - [2011/12/09 12:47:36 | 000,726,912 | ---- | M] (FileOpen Systems Inc.) -- C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
    PRC - [2011/11/04 14:37:16 | 000,330,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    PRC - [2011/10/20 09:58:46 | 000,101,440 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
    PRC - [2011/07/12 17:03:32 | 000,069,568 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    PRC - [2011/07/12 16:17:04 | 000,138,680 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
    PRC - [2011/07/12 15:54:02 | 000,127,336 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
    PRC - [2011/07/12 15:53:48 | 000,131,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe
    PRC - [2011/07/12 15:53:18 | 000,142,696 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
    PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/12/04 10:42:58 | 002,411,520 | ---- | M] (GoldenDict) -- C:\Program Files\GoldenDict\GoldenDict.exe
    PRC - [2010/10/27 12:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2010/08/25 04:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    PRC - [2010/07/04 19:07:40 | 000,238,952 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe
    PRC - [2010/03/18 04:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2009/11/24 10:25:34 | 004,463,400 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\Wacom_Tablet.exe
    PRC - [2009/11/24 10:25:34 | 001,823,528 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\WTablet\Wacom_TabletUser.exe
    PRC - [2009/11/09 06:48:34 | 000,054,632 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\cammute.exe
    PRC - [2009/09/23 09:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
    PRC - [2007/03/26 09:00:26 | 000,069,632 | ---- | M] (Software 2000 Limited) -- C:\Windows\System32\spool\drivers\w32x86\3\HP1005MC.EXE
    PRC - [2003/03/19 13:24:00 | 000,045,056 | ---- | M] (GNU) -- C:\Program Files\SC_TOOLS\visualCVS_server\exec\windows\cvsNt\cvsservice.exe
    PRC - [2003/03/19 13:24:00 | 000,045,056 | ---- | M] () -- C:\Program Files\SC_TOOLS\visualCVS_server\exec\windows\cvsNt\cvslock.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/08/07 14:25:24 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
    MOD - [2013/07/27 15:50:30 | 016,547,328 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\10ac4ed5a22a4882529e01cf7bd8b895\mscorlib.ni.dll
    MOD - [2010/12/03 16:03:12 | 000,007,168 | ---- | M] () -- C:\Program Files\GoldenDict\GdTextOutSpy.dll
    MOD - [2010/12/03 06:37:48 | 000,378,880 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qtiff4.dll
    MOD - [2010/12/03 06:37:48 | 000,351,744 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qmng4.dll
    MOD - [2010/12/03 06:37:48 | 000,286,720 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qjpeg4.dll
    MOD - [2010/12/03 06:37:48 | 000,083,456 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qico4.dll
    MOD - [2010/12/03 06:37:46 | 000,083,456 | ---- | M] () -- C:\Program Files\GoldenDict\imageformats\qgif4.dll
    MOD - [2010/12/03 06:32:46 | 000,399,360 | ---- | M] () -- C:\Program Files\GoldenDict\QtXml4.dll
    MOD - [2010/12/03 06:32:40 | 000,344,576 | ---- | M] () -- C:\Program Files\GoldenDict\phonon4.dll
    MOD - [2010/12/03 06:32:28 | 017,314,816 | ---- | M] () -- C:\Program Files\GoldenDict\QtWebKit4.dll
    MOD - [2010/12/03 06:32:22 | 001,149,440 | ---- | M] () -- C:\Program Files\GoldenDict\QtNetwork4.dll
    MOD - [2010/12/03 06:32:18 | 000,043,008 | ---- | M] () -- C:\Program Files\GoldenDict\libgcc_s_dw2-1.dll
    MOD - [2010/12/03 06:32:12 | 000,011,362 | ---- | M] () -- C:\Program Files\GoldenDict\mingwm10.dll
    MOD - [2010/12/03 06:32:00 | 009,889,792 | ---- | M] () -- C:\Program Files\GoldenDict\QtGui4.dll
    MOD - [2010/12/03 06:31:58 | 002,543,616 | ---- | M] () -- C:\Program Files\GoldenDict\QtCore4.dll
    MOD - [2009/05/16 00:22:42 | 000,716,800 | ---- | M] () -- C:\Program Files\Samsung\Samsung PC Studio 7\PCSCM_Samsung.dll
    MOD - [2008/12/06 01:41:50 | 000,619,008 | ---- | M] () -- C:\Program Files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll
    MOD - [2005/04/19 18:38:00 | 000,396,288 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL
     
  19. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hold on to those Logs and should be able to post them later...

    The Backdoor you have is NOT a rootkit but it hides like one, so please run MBAR and see if it catches it...
    --Malwarebytes Anti-Rootkit--

    Please download Malwarebytes Anti-Rootkit
    • Unzip the contents to a folder in a convenient location.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

    When done, please attempt to post the OTL logs you have and the MBAR folder..... mbar-log.txt and system-log.txt

    2oG
     
  20. Paynor

    Paynor Newbie

    Joined:
    Dec 25, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Very strange!
    Even with html links removed, and split into small text sections, I still get the internal server error from AfterDawn after pasting any further sections of the log files as text. I dont see any option for posting them as attachments on the AfterDawn forum.

    Then I tried posting them as attachments to my post on the MWBytes forum, but the file upload fails there too. Strange for a 150 KB text file.
    "Extras.Txt
    This upload failed"

    All these attempts are from another (probably clean!) computer.
     

Share This Page