Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix killed two of my computers


  • Please log in to reply
12 replies to this topic

#1 yj7777

yj7777

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 November 2009 - 01:31 AM

I foolishly ran Combofix on two almost identical Shuttle systems running Windows XP SP2.
After combofix did its scan, and did a reboot both machines failed to boot.
When i try to boot into safe mode / safe mode command line, one of them goes into a booting loop when loading gagp30kx.sys. The other blue screens when loading gagp30kx.sys with a 07b error.
Both machines were working fine before i ran combofix on both.

I tried going into the recovery console using the Windows XP CD, but when i try to run c:\windows\system32\restore\rstrui.exe i get a "Command is not recognized" error.
I guess the only way to run this is to boot into safe more from the computer itself.. unfortunately, i can't boot into safe mode because the computers either go into a loop or bluescreen.

Using the Windows XP CD and the Microsoft instructions for "How to recover from a corrupted registry that prevents Windows XP from starting" I backed up the following files in one of the computers:

c:\windows\system32\config\system, software, sam, security, default
and restored them from c:\windows\repair\.

After i did all this, the system still failed to boot into safe mode.. it would go still go into a loop!!!.
Is there a way i can do a system restore without having to boot into safe GUI mode?
Whatever combofix did to my systems there has to be a way to restoring them without having to reinstall everything!
Right now my apache server and two websites, plus another website's forum are currently down because of this..
PLEASE HELP!

Edited by yj7777, 21 November 2009 - 01:34 AM.


BC AdBot (Login to Remove)

 


#2 yj7777

yj7777
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 November 2009 - 02:06 AM

Booting from the Win XP CD-ROM and going into the recovery console, i was able to find my way into the system recovery folder and restored the system, software, sam, security, default files from a previous date to c:\windows\system32\config.

After trying to reboot into normal or safe mode, i am still getting a blue screen.. so i am not really sure what combofix did, but doing a registry recovery wasn't enough..

#3 Wendy K. Walker

Wendy K. Walker

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:55 PM

Posted 21 November 2009 - 03:36 AM

Hi click over to "This" forum and sopy past your post, this one, into a new top0ic over there. That's where all the people who know HJT and ComboFix stuff are.

I take it you didn't read the WARNING that said ComboFix could wipe your OS out if you toyed around with it without professional help.

If you're real lucky someone in that forum MIGHT be able to get you back up and running without having to do a destructive recovery of your operating system.

I'm just s bit curious about this statement here Boo

Both machines were working fine before i ran combofix on both.

If that's true then what possessed you to run something like ComboFix?
Good luck Boo.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#4 joseibarra

joseibarra

  • Members
  • 1,258 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:55 AM

Posted 21 November 2009 - 08:40 AM

You cannot run the System Restore GUI (rstrui.exe ) from the Recovery Console, so that is why that won't work.

You can read about gagp30kx.sys in the Bleeping Computer File Database forum (or Internet searches) and find it is video related:

Microsoft dirver to be used with a VIA K8 motherboard for CPU to AGP communications.


It is also not part of the 5 registry files you copied over, but good effort!

I don't know why/how it is related to Combofix, but there are still some alternatives.

Since you can boot into RC, some other folks with this problem have resolved it by using Recovery Console to run:

chkdsk /r

So I would try that since you can. It may not find anything to do, but you will then know what it is not.

While in RC, navigate to c:\windows\system32\drivers and be sure that you find gagp30kx.sys.

If suspicion of malware is what prompted Combofix, maybe the file was corrupted and Combofix removed it and needs to be replaced.

If the gagp30kx.sys is missing or even suspicious, you can simply replace it from c:\windows\system32\dllcache.

You can do all of this using Recovery Console.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#5 yesyep

yesyep

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 November 2009 - 10:19 AM

Yes here sometyhing like that.

Recovery same failures as here, almost every command a failure in console.

It turns out that combofix put the driver pciide.sys as pciide.sys.vir in quarantine did a replacement of that files (HD on other pc) then normal boot and back working !!!

?

Edited by yesyep, 21 November 2009 - 10:20 AM.


#6 joseibarra

joseibarra

  • Members
  • 1,258 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:55 AM

Posted 21 November 2009 - 10:30 AM

Good for you :thumbsup:

I don't know too much about Combofix, if you have the log or can describe how you were able to figure out those were the files involved, I would like to see it/know more about it.

I wish I had a system that was not working after Combofix so I could study it!

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:55 AM

Posted 21 November 2009 - 10:32 AM

Not to beat a dead horse, but one of the reasons it is not recommended to use ComboFix without supervision is because of these kinds of problems, as you already know. What hasn't been pointed out is that, if you had had supervision, your helper could have gotten in contact with CF's author to resolve the issue. He won't do that with people who ignore the disclaimer and run it on their own--he uses his time to make CF better.
papakid

Edited by garmanma, 21 November 2009 - 10:34 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 yesyep

yesyep

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 November 2009 - 12:45 PM

Good for you :thumbsup:

I don't know too much about Combofix, if you have the log or can describe how you were able to figure out those were the files involved, I would like to see it/know more about it.

I wish I had a system that was not working after Combofix so I could study it!


I did a lot of pc's with combofix never had a serious issue before!

Now i don't know with the updated combofix from today it went wrong but that laptop is from a student i'm helping out with some hmm internet and reason limewire probs ( i think from that downloads anyway!)

IN combofix quarantine txt file this was the only one in quarantine.

( because almost nothing in the repairconsole was working "unknown commands" and so on. )

I only could read this txt file of the laptop disk after put/connnect (through ide/usb converter) it on a other not "important" pc with virus soft up to date.
Scan that disk but didn't found anything

Read the file of combofix, looked for same sys file in windows/system32/drivers copy this good one to that disk put the disk back in laptop.

did some extra checks on MBR and so on. ( i did that before to but wasn't working)

Now updating and checking the rest it look OK for sofar.

As some important hardware basic driver (.sys) issues here with combofix from today mabye in combofix somewhere a false positive or infected (.sys) or corrupted (.sys) files now to let combofix put them in quarantine!

Sorry for my English.

Edited by yesyep, 21 November 2009 - 12:53 PM.


#9 wdoust50

wdoust50

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 21 November 2009 - 12:46 PM

ComboFix also did a number on my computer yesterday.

When I started ComboFix it declared that I HAD to do a MANDATORY update, which seemed a bit strange.

After the scan was completed the following file was deleted:

C:\Windows\System32\Drivers\pciide.sys

It then tried a reboot and was unsuccessful and any attempts to restart the computer were also unsuccessful. An error message kept appearing stating that the startup was prevented to avoid possible damage to the computer.

I learned that this file that was removed is a necessary system operating file and the subsequent problems were indeed caused by ComboFix!!

It occurred to me that perhaps ComboFix has been compromised in order to cause this problem or perhaps the creators of ComboFix didn't properly test this "Mandatory" update?

I had to reinstall Windows XP by hitting F12 at Startup, inserting the CD and scrolling down to the the CD option in the Boot Startup menu.

It took about 40 minutes and I had to reinstall all the XP updates (59 I believe), which included updating Internet Explorer from 6 to 7. I also had to update the Media Player, everything else on the computer appears to be unaffected by the reinstallation.

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:55 AM

Posted 21 November 2009 - 01:03 PM

Sorry about your troubles with ComboFix. There are postings everywhere advising people not to run this without supervision.

ComboFix should not to be discussed outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


I think you can see by your own postings that there are downfalls to running the program without supervision. If you need help after running the tool, please create a new topic in our advanced malware forums. Please follow this guide. Post a DDS log to the HJT forum and a Team member will be along to help you as soon as possible.

This discussion is now closed.

rigel
BleepingComputer Furms Moderator

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 AM

Posted 23 November 2009 - 12:00 PM

I will respond in more detail in your other topic, but yes, for those who ran ComboFix recently and then were unable to boot Windows properly will need to move the pciide.sys from the C:\Qoobox quarantine folder into C:\Windows\System32\drivers\ folder. Reboot and your machine will boot properly. If you have a second machine then you can copy it from another computer.

I am leaving this topic opened in case others need help performing this action.

#12 Reika

Reika

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 31 January 2012 - 09:30 PM

I will respond in more detail in your other topic, but yes, for those who ran ComboFix recently and then were unable to boot Windows properly will need to move the pciide.sys from the C:\Qoobox quarantine folder into C:\Windows\System32\drivers\ folder. Reboot and your machine will boot properly. If you have a second machine then you can copy it from another computer.

I am leaving this topic opened in case others need help performing this action.


^ How do you do this?

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

#13 mark1956

mark1956

  • Security Colleague
  • 271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spain
  • Local time:03:55 PM

Posted 01 February 2012 - 05:04 AM

Reika, if you have caused a problem on your PC by using Combofix without supervision you should read the advice in post 10 and start your own thread




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users