Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combifix Hangs on possibly infected computer


  • Please log in to reply
10 replies to this topic

#1 JimMcGowanInlet

JimMcGowanInlet

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 April 2010 - 04:05 PM

I am working on a PC that I suspect is infected. It was running Symantec Antivirus which detected nothing. I removed Symantec as a precaution and ran the Symantec removal tool just to be sure.

Combofix keeps hanging just before it shows Completed Stage_1... I see this in the screen when it hangs.

Scanning for Infected Files . . .
This typicaly doesn't take more then 10 minutes.
However, scan times for infected machines may easily double.

I have waited over an hour and it doesn't continue. I can control the PC and even close the combofix box. When I look at the process list I see CF1441.cfxxe and mbr.cfxxe is running. If i kill the mbr.cfxxe process combofix moves on.

If I try and boot the computer in safe mode I get no video but It acts like its booting properly, so I ran msconfig and set diagnostic mode but CF still hangs with the same symptoms. I tried running malwarebytes. Malwarebytes starts off fine but after 5 minutes it comes to a crawl and only scans 1 file every 5-10 seconds.

I did a fixmbr and a fixboot in the recovery console and it didn't help.

I ran HijackThis and didn't see anything exceptional.

I am guessing something is hooked into the disk access code and is blocking combofix from reading the mbr and also slowing down malwarebytes. It may be a virus or maybe is part of some antivirus/antispyware app that left hooks on the system.

I have the combofix log and the HJT log but I just noticed that Im not supposed to post them here. anyone have any ides on how to find out what might be hooked into the system and slowing it down?

Jim

Edited by JimMcGowanInlet, 12 April 2010 - 05:23 PM.


BC AdBot (Login to Remove)

 


#2 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 April 2010 - 05:23 PM

UPDATE: Ran RKill and it found nothing.

UPDATE: Ran SuperAntiSpyware only found 301 cookies. It did not run slow like MBAM does.

Trying to see what GMER does/shows now. But if anyone has any thoughts I could use some ideas. Im just guessing now.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 12 April 2010 - 05:26 PM

Post the GMER log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 April 2010 - 05:28 PM

Is it ok to post here or should I move this to the Virus, Trojan, Spyware, and Malware Removal Logs forum?

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 12 April 2010 - 05:31 PM

Post it here to start with and I'll let you know if you need to re-post in the Virus, Trojan, Spyware, and Malware Removal Logs forum.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 April 2010 - 08:36 PM

Just to update.... Its been 3 hours and GMER is still running. Is that normal? The system is ~2 GHz P4 with 2 GB Ram and 80 GB hd.

Edited by JimMcGowanInlet, 12 April 2010 - 08:36 PM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 12 April 2010 - 08:38 PM

You could try running the scan with only the "Sections" box checked.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 13 April 2010 - 08:03 AM

Here is the GMER log. I had a USB stick plugged in at the time I ran GMER.

Any thoughts are appreciated.

Jim

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 09:00:04
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwldypoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8B3C320]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA477A80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1428] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

#9 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 13 April 2010 - 08:28 AM

Today after running GMER and collecting the data. I noticed the machine is VERY slow again. Its running 55% CPU on Winlogon.exe and 30% on svchost.exe and 15% on searchindexer.exe

#10 JimMcGowanInlet

JimMcGowanInlet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 13 April 2010 - 05:05 PM

Budapest,

Thanks for the help but I could not wait any longer. I had to flush the PC. If you have time to look at the GMER log let me know what you see. I am interested if you see anything in the log that may help me in future problems.

Thanks
Jim

Edited by JimMcGowanInlet, 13 April 2010 - 05:05 PM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 13 April 2010 - 05:19 PM

I asked one of our Malware experts to have a look at your GMER log. They said the log was clean but suspected that you may have had a Bagel infection based on the symptoms you reported.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users