combofix freezing

On two different XP (SP3) laptops recently combofix has frozen after doing the registry backup - all activity blocked, only way out was to do a hard stop and restart from cold. I noticed that the Qoobox and combofix folders had been created, but nothing else had been affected. The systems were left for an hour at least before undertaking a cold restart.

One laptop I was prepared to ignore, but two different ones from different homes is puzzling. On the first I uninstalled AVG 8.5 first and rebooted, so there was no antivirus on the laptop when combofix was run - same by the way in safe mode too. There were viruses and a root kit on the laptop which I removed with other programs, but as the lappie has been returned I don't have any further details.

The second one Toshiba Equium M40X (512mb ram, hdd 60gb - 36% free) has Sophos running, but effectively it has the identical issue with combofix in standard and safe mode. It has malware on it too, I hard removed the "HDDOK" fake and then ran malwarebytes: one item, I think, was on both - TDSSPack-Z.

Full malwarebytes log below.




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5502

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/01/2011 11:41:30
mbam-log-2011-01-11 (11-41-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 263930
Time elapsed: 1 hour(s), 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09F1ADAC-76D8-4D0F-99A5-5C907DADB988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D95C7240-0282-4C01-93F5-673BCA03DA86} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDic (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDic.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDisp (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDisp.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.CoreServices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.CoreServices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.LfgAx (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.LfgAx.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HbCoreSrv.DynamicProp (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HbCoreSrv.DynamicProp.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HBMain.CommBand (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HBMain.CommBand.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.HbMain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.HbMain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostIE.Bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostIE.Bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.MailAnim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.MailAnim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.WebmailSend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.WebmailSend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Toolbar.HtmlMenuUI (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Toolbar.HtmlMenuUI.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Toolbar.ToolbarCtl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Toolbar.ToolbarCtl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\xakljfsgosi.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Elias\application data\Adobe\plugs\kb2008796.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1851832855-813821854-2380982375-1025\Dc1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1851832855-813821854-2380982375-1025\Dc2.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1064\A0443849.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1064\A0444849.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1064\A0445850.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1064\A0446191.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1066\A0446222.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1067\A0446483.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1067\A0446492.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1067\A0447492.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1067\A0447502.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{95c8ba23-7dec-40cd-a7c2-1abb11423e47}\RP1068\A0448519.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Elias\application data\Adobe\plugs\kb2039578.exe (Trojan.Agent) -> Quarantined and deleted successfully.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If you ran ComboFix on your own due to malware infection, please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses.

With that said, there are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual. In such cases, it is helpful to know at what stage CF stalled and to provide that information to the Helper who is assisting you so they can investigate. This is just another reason why you should only use ComboFix under supervision.

Which machine is this Malwarebytes' Anti-Malware log created from? We only do one computer per topic to avoid confusion.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Then perform a scan with Eset Online Anti-virus Scanner.

• This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
• Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

• Click the green button.
• Read the End User License Agreement and check the box:
• Check .
• Click the button.
• Accept any security warnings from your browser.
• Check
• Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
• Click the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer.
• If offered the option to get information or buy software at any point, just close the window.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• When the scan completes, push
• Push , and save the file to your desktop as ESETScan.txt.
• Push the button, then Finish.
• Copy and paste the contents of ESETScan.txt in your next reply.

Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt

• Click Ok and the scan results will open in Notepad.
• Copy and paste the contents of log.txt in your next reply.

-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

First let me thank you for your reply.

I have run the scans you suggested. I am referring to the Equium laptop (the first lappie is no longer here, I was using this for reference only).

I have a gut feeling that there is still something wrong, as even after a thorough system cleanup/defrag etc, the system is still slower than I would expect. I have played around with MSconfig, and while this helps I feel there is something not right (it was the same with the earlier laptop too, so there is some consistency)

MBAM second scan log

www.malwarebytes.org

Database version: 5503

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/01/2011 15:05:47
mbam-log-2011-01-11 (15-05-47).txt

Scan type: Quick scan
Objects scanned: 172729
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Eset scan log

C:\Documents and Settings\Elias\Application Data\Sun\Java\Deployment\cache\6.0\19\3d4ec9d3-1ddc63a5 probably a variant of Win32/Agent.FQRCZBA trojan deleted - quarantined
C:\Documents and Settings\Elias\Application Data\Sun\Java\Deployment\cache\6.0\22\3256-630324c0 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\Elias\Application Data\Sun\Java\Deployment\cache\6.0\22\3bf7e416-5d6b008a a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\Elias\Application Data\Sun\Java\Deployment\cache\6.0\50\299b3ab2-6aa614e6 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:

• Clear the Java cache
• Clear the browser cache in Internet Explorer
• Safely Delete the Temporary Internet Files <- for Internet Explorer 8
• How to Clear Your Browser's Cache <- for other versions of Internet Explorer, Firefox and different browsers
• Clean out Windows temporary files

I have played around with MSconfig, and while this helps I feel there
is something not right.

What exactly did you do in MSCONFIG?

MSConfig (System Configuration Utility) is a troubleshooting utility used to diagnose and fix system configuration issues. In the Summary section Microsoft says "The System Configuration utility helps you find problems with your Windows configuration. It does not manage the programs that run when Windows starts."

Although it works as a basic startup manager, msconfig should not be used routinely to disable auto-start programs. It is a temporary solution and not a good practice for the following reasons:

• When uninstalling programs while disabled with msconfig, they may not be uninstalled properly and manually editing the registry will be required to remove everything.
• Msconfig will often leave orphaned entries when software is uninstalled. When used to switch back to normal startup mode, these orphan entries can result in boot up errors.
• Msconfig only allows you to disable entries. To completely remove an entry from its' list you have to edit the registry, or use a third-party tool like Msconfig Cleanup Utility or a startup manager.
• Msconfig allows malware related items to hide in your registry which you may not see or affect your computer until switched back to normal startup mode. This could then result in reinfection of the computer.
• Msconfig does not list all applications loaded in all possible startup locations (some entry points are hidden and unknown to the user).

You should not use msconfig to disable startup applications related to services. Doing so alters the registry and there are services that are essential for hardware and booting your system. When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. Changing the default settings for services can be risky and might prevent key services from running correctly. Only change the status of a service if it is necessary. You should only disable services using the Services Management Console (services.msc) where you cannot disable services that may be vital to boot your system.

Black Viper's warning: Why can't I use msconfig to change my services?

A better alternative is to use a startup manager like:

• Starter by CodeStuff
• Autoruns
• System Explorer
• AnVir TaskManager Free (32-bit, 64-bit)
• WinPatrol (32-bit, 64-bit)
• Mike Lin's Startup Control Panel
• Startup Manager

Thank you again...........

Part 1 all these elements , apart from clearing the Java cache had already been done,

@art 2 Re msconfig: Yes I know about this I would only change the non-MS services, and am aware of how the registry is affected. I also look at the startup options as usually most users just say yes to everything without realising how this can effect performance; secondly some badly written systems do not give an easy way to switch off the startup option.


service deactivated is SeaPort (Windows live) - startups deactivated include: ramasst and bbc iplayer desktop.

System after extensive cleanup i still taking 2.5 mins to fully boot - I usually am able to get this down to under 90secs.

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".

• If you cannot complete a step, then skip it and continue with the next.
• In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. If ComboFix was able to create a log, it would have been saved to the root directory, usually C:\ComboFix.txt so be sure to include that as well.

If you post your logs back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic372781.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom