Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Frozen


  • This topic is locked This topic is locked
25 replies to this topic

#1 Tekn0cat

Tekn0cat

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 July 2008 - 09:56 AM

I hope I'm in the right forum! I'm trying to clean a laptop running Windows XP pro, it's infected with Wserving/Afinding.exe. I found some instructions on how to clean this, starting with running ComboFix (which we've used in the past). I downloaded the latest version and ran it AFTER disabling antivirus, firewall and spyware scanners.

Now ComboFix has frozen after "Completed Stage_4". It's been sitting like this for over half an hour. I don't want to do anything to it until I check here. So far it says it's removed the following:

C:\Windows\Hosts
C:\windows\system32\routing.exe
C:\windows\system32\Indt2.sys
C:\windows\system32\comsa32.sys
C:\windows\system32\afinding.exe
C:\windows\system32\Wserving.exe

From looking on this forum in regards to this infection (too late), I realize now that I screwed up by running ComboFix right away... but is it OK to use Task Manager or force ComboFix to close? And if so, what do I do next?

Thanks!

BC AdBot (Login to Remove)

 


#2 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 July 2008 - 10:31 AM

Update: (additional info) - I tried to open Task Manager, got to the Windows Security box, then no response when I tried to use mouse or keyboard. HDD is not active. It's now been sitting like this for over 15 min. I'm going to try hard boot, then run HijackThis if possible and post the log in a different thread.

#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2008 - 11:36 AM

Hi,

That's the problem with using ComboFix without supervision. Please use it only when it's said by a trained helper.

If you've closed ComboFix, do this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#4 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 July 2008 - 12:24 PM

I had been running a Kaspersky online scan just before I read your post. It was getting to a certain file and then freezing. I aborted the scan, then installed and ran Mbam. While Mbam was running, Symantec Antivirus virus quarantine messages popped up several times. After I ran Mbam I opened Symantec and purged all items successfully from quarantine. Mbam also has files in quarantine but I haven't deleted them yet.

Here's the Mbam log - I also kept a log from Kaspersky but won't post it unless asked:

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

13:07:13 2008-07-09
mbam-log-7-9-2008 (13-07-13).txt

Scan type: Quick Scan
Objects scanned: 72004
Time elapsed: 14 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2008 - 12:34 PM

Hi, yes please post the logfile of Kaspersky too. :thumbsup:
Do you still have problems?

#6 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 July 2008 - 12:40 PM

I don't know yet if there are still problems - this is a user's laptop and the only symptom he was reporting was slow performance and repeated Symantec AV virus detected warnings. I'm running another Symantec scan to see if it picks up anything.

Here's the Kaspersky from before I ran Mbam:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 09, 2008 15:38:05
Records in database: 932467
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
I:\
S:\
V:\
W:\

Scan statistics:
Files scanned: 34422
Threat name: 11
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:31:44


File name / Threat name / Threats count
C:\WINDOWS\system32\Nobicyt.exe/C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jxi 1
C:\WINDOWS\system32\perfs.exe/C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.tps 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\074C0000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0000.VBN Infected: Trojan-Downloader.Win32.Delf.jte 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0001.VBN Infected: Trojan.Win32.Delf.dbc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0000.VBN Infected: Trojan-Downloader.Win32.Delf.jqx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0001.VBN Infected: Trojan.Win32.Agent.sus 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0002.VBN Infected: Trojan-Downloader.Win32.Delf.jqv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0003.VBN Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09280000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09280001.VBN Infected: Trojan.Win32.DNSChanger.ewt 1
C:\Documents and Settings\Helpdesk\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File 1

The scan was stopped by the user.

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2008 - 12:43 PM

Hi,

Delete all the items in the virus vault of Norton.

Then make a scan indeed with Symantec again. If there are items found, please tell me the filepath(s) exactly. :thumbsup:

#8 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 July 2008 - 01:40 PM

No items were found when I ran a full Symantec scan of the C drive. I checked its Quarantine and Backup folders after the scan. (This is Symantec Corporate so it doesn't have a Norton folder) All the bugs I'd seen before were in the Backup folder, so I deleted them. Quarantine was empty.

User has picked up his laptop (was in a hurry), but he will be sure to let us know if he gets more virus pop-ups. I also gave him a little "crash" course on not downloading crap, and tweaked his IE security settings for now.

#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2008 - 01:45 PM

That's nice to hear. I don't think he will complain, because everything looks clean again. :thumbsup:

If you want to read some securitytips: http://users.telenet.be/bluepatchy/miekiem...prevention.html :flowers:

#10 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 July 2008 - 12:35 PM

Update: Same virus is back. Here's the alert message from Symantec Antivirus Corporate:

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Trojan Horse

File: C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP2\A0001026.exe

Location: Quarantine

Computer: PBRENER

User: SYSTEM

Action taken: Quarantine succeeded : Access denied

Date found: 2008-07-10 12:06

Next steps? I'm thinking turn off System Restore, boot into Safe Mode, then run Mbam again - unless you have other suggestions?

Thanks!

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 July 2008 - 12:37 PM

No, System Restore isn't needed.

Do this:
Go to Start > Run. Type: combofix /u
This will restart ComboFix, and uninstall it.

Scan again with your AV. Is there still anything left? :thumbsup:

#12 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 July 2008 - 12:40 PM

Will take a while as the user hasn't given me his laptop yet. I'll update when I've tried that.

Thanks again!

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 July 2008 - 12:52 PM

All right. :thumbsup:

#14 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 July 2008 - 03:11 PM

Still haven't got the laptop from the user, he's one of those busy upper management types. But he just sent me an email advising that he's still getting the bursts of music that are caused by this virus... so I think maybe it will take more than a combofix uninstall to get rid of this.

Your thoughts?

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 10 July 2008 - 04:19 PM

combofix /u

creates a new restore point and deletes the old ones, not something I would do just yet

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

run these programs in this order, exactly as specified and have the computer disconnected from the internet

If MBAM does not show a clean scan after running those three steps, then run SDFix

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

All programs updated!

MBAM in normal mode, then ATF and SAS from safe mode

Reboot and rerun MBAM, if anything shows then reboot into safe mode and run SDFix

All this without reconnecting to the internet
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users