Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER, COMBOFIX crashes with BSOD


  • Please log in to reply
5 replies to this topic

#1 workshop22

workshop22

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 20 December 2010 - 11:35 AM

Hello,
I'm having a problem where everytime i run gmer i get a bsod and the computer restarts immediately as it starts. I can run gmer in safe mode but not in normal. The same goes for combofix. Combo fix will go through all it's scanning, there are like 50 stages, then as soon it says Deleting Files... it crashes just the same as gmer. I've never had problems with these programs, as I use gmer every so often when i fell i might be infected with something.
The reason I'm trying to run these programs, is, I think I have some kind of redirect malware. Occasionally while on the internet I'll get a random pop up while on a trusted non pop up site, they are always the same kind of marketing pop up.
I have ran symantec corporate(this is what our network uses), avg, malware bytes, trojan remover, and spybot. There have been little things found here and there and cleaned, but I'm still having same gmer, combofix issues.

MBR Log is clean thanks to tdsskiller.exe.
And combofix before running scans says it detected rootkit, then makes me restart, does it's scan and then crashes at deleting files...


Your help is greatly appreciated.

Edited by workshop22, 20 December 2010 - 01:10 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 AM

Posted 20 December 2010 - 12:48 PM

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With that said, there are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does. While that is not normal behavior, it is not unusual. In such cases, it is helpful to know at what stage CF stalled and to provide that information to the Helper who is assisting you so they can investigate. That's just another reason you should only use ComboFix under supervision.


I have ran symantec corporate(this is what our network uses),

Is this a work computer? If so, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. At most community security sites like this, we do not have the staff or resources to deal with numerous client machines or the complexities of network disinfection. A lot of helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators. Further, we are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate disinfection measures.

If you're reluctant or embarrassed to inform the IT Team, keep in mind that they can easily trace the source of the infection. It is much better to bring this to their attention than to deal with the consequences of violating security policy once the IT Team and your supervisor finds out.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 workshop22

workshop22
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 20 December 2010 - 01:09 PM

ok, well I am the IT department and there are no legal issues, policies, or procedures setup that could cause a problem. this isn't a large network by any means, in fact it is a small network setup for the few computers we have here at the church i work for. there isn't numerous client machines to deal with nor complexities of network disinfection since no other computer is infected. you can go ahead and treat this as non-commercial since this is my personal computer that i just happen to use here at the church. the only reason i have symantec corporate installed rather than avg free is because we have the extra license for it. lastly, i'm not reluctant or embarrased to inform myself about anything.

now with that out of the way....is there any info you can give me to help me with getting rid of this infection? I'm dreading having to format and start with a clean slate with this computer, as that would set me back about a week, so if you can help me, it would be greatly appreciated.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 AM

Posted 20 December 2010 - 01:40 PM

I am the IT department...

I understand and that's not a problem but I always ask first. You would not believe how many folks try to circumvent your job by hiding infections and seeking help elsewhwere in order to avoid responsibility. As such, I'm sure you can appreciate I was looking out for the IT folks as well by checking.

Rerun TDSSKiller again to confirm that part of the infection has not returned. If it has not and you're still experiencing redirects, then your are dealing with more than a modified MBR. TDL4 infects 2 drivers, one being random and the other, a legitimate driver (such as atapi.sys) in the Windows drivers folder. If the legitimate drive is swapped (cured) without the other being swapped at the same time the swapped file becomes infected again. This means further investigation is needed with more powerful tools than we allow in this forum. Using ComboFix is only one part of the process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
  • When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

Note: I know you already tried using GMER but sometimes changing the settings will allow you to complete a scan.

Open GMER and deselect (uncheck):
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All <- don't miss this one
Posted Image

If that does not work you may also need to uncheck Devices and Sections from the options on the right, along with the items noted above, then try running it again. If it's still crashing, also uncheck Files.

Should GMER still fail to run or continues to crash, try running it in safe mode. If you still cannot get GMER to run, then skip that step and continue with the next, then post your DDS log in the proper forum as instructed above.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 workshop22

workshop22
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 20 December 2010 - 02:48 PM

thank you so much, i will do as you said...i appreciate all your time and effort!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 AM

Posted 20 December 2010 - 02:57 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users