Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Post a Log Because Combofix won't run


  • This topic is locked This topic is locked
6 replies to this topic

#1 mrsbullwinkle

mrsbullwinkle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 18 March 2011 - 08:45 PM

Since I am so infected I can't update, I submitted my problem to Microsoft. Their tech recently suggested I download and run Combofix and post my log here, follow your directions, then run a tdss killer he has given me a link for and report my results back to him if everything isn't fixed.

This tech had previously suggested I run my AVG virus in safe mode to clean the computer but my computer stopped the scan and either crashed or tried to reboot as soon as AVG began scanning my temporary computer files.

When I tried to run the Combofix -- after disabling everything that could possibly ever be of help to keep me safe -- the first 3 lines appeared in the blue box telling me that run time was usually 10 minutes but a heavily infected computer could take double that time. I left it running for 4 hours. Nothing else ever happened so I finally gave up and came here hoping for help.

I am sending everything to you on my old computer as the new one is officially out of service until the problem is fixed and I can put my AVG, spybot, ad-aware, etc. back in.

My computer is running win xp with avg virus protection.

Many thanks for any help or advice. If it was a horse, I'd shoot it!

Edited by mrsbullwinkle, 18 March 2011 - 08:50 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:53 AM

Posted 25 March 2011 - 12:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 mrsbullwinkle

mrsbullwinkle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 28 March 2011 - 02:05 PM

Many thanks for the response oneof4. Regarding your notes:

1. The original problem is not solved.

2. My computer starts and runs fine as long as I do not go on the internet or try to run any program that might possibly fix it. If I try to run a program to fix it, it reboots part way through as I said in my original statement. It is a little slow starting and closing down, but seems to run fine otherwise, accept as previously noted. My Windows XP is version 5.1.2600 Service Pack 3 Build 2600, Home edition, and I believe it is a 32 bit system because the only thing I could find saying 32 or 64 bits was under display in system information where it said "Bits/pixel 32."

3. There is not a working DVD player in the computer. Since so many of my DVDs and CDs would not play, I bought an external drive and quit burning CDs, so have never replaced it. Furthermore, although I do have my original Windows CD, it is unlikely it would play well enough to help anyway as it is extremely scratched up. Our house burned down last year, very few of our CDs or DVDs have played since our move to an apartment after that fire.

4. Will do.

5. When I open Internet Explorer, it sometimes goes to my home page, but more often says "connecting" forever, this happens even though the internet connection is active as I can tell by the old computer (shared connection through router). If I click a link on my favorites, from that home page, when it has opened, it will go to it. However, if I try to open a new tab, again, it says connecting forever. If I search for anything, using ask.com (my home page) or any other search engine, it takes me to a new search engine that i've never heard of and if i search there it again takes me to another search engine. Many times when I open internet explorer, only the bar at the top displays and my desktop fills the rest of the screen.

Additionally, Microsoft's Online Scanner said:
Protection
5 issues not able to be cleaned
3 Severe issues found
Exploit:Java/CVE-20
Issue 1
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\29\18e80c9d-4913ccd8
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\26\575401da-60260a47
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\16\64a5c350-375f3c75
Exploit:Java/CVE-20 10-0840.AY
Issue I
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\56\5e0f8978-6762efaf
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\46\2dc5a3ae-21a1844e
c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\45\5b76df2d-7dfcfc9a
1 Medium issue found
BrowserModifer:Win 32\Zwangi
Issue 1
c:documents and settings\localservice\local settings\temporary internet files\content.ie5\0umf173vk\upgrade[1]cab
i Low issue found
Adware:Winew/Open Candy
Issue 1
c:\documents and settings\owner\desktop\izarc4.1.2.exe

I also know that I had trojans in my restore.
C:\System Volume Information\_restore(202550A8-7A33-4BCA-9586-051D24DDBF8F) \RP322\A0081681
File above appeared twice in scan once with green check mark in front of it and once with yellow question mark i9n front of it. I disabled and enabled my system restore to clear it.

Furthermore, my internet supplier has told me I have a "bot" and need to update my windows and all my other programs to get rid of it. This would be great advice if it was possible for me to update anything except my Adobe and my AVG virus protection which reboots part way through during most scans. I have tried to run Trend Micro's RUBotted, but it says service stopped and will not run with I click start service.

I have tried to update windows frequently and it says "unable to display the page." I have ran Adaware, Spybot, AVG virus protection, and 2 different tdss killers all with little or nothing being found and no help getting rid of anything as everything they say they have cleaned is always still there the next time I scan. I have disabled and enabled system restore and tried to run AVG in safe mode. Microsoft told me to run Combofix, which would not run, and the TDSSKiller that they gave me a link for ran but found nothing.

6. Again, many thanks for the help.

7. Have downloaded DDS as you asked, but it would not run -- detailed info below.

8. Here is your reply.

Okay, I downloaded the DSS.scr, disabled AVG for 15 minutes, disabled my windows firewall (which was NOT in your list of firewalls to disable), and disabled AdAware.

I tried to disable spybot, but when I clicked on tools as the A/V link said, even though I was in advanced mode, "resident teatimer" was not on the list. "Resident" was, although it was already unchecked. I did click system startup as the link said, but the only place i could find Teatimer on the list was under "value" and I unchecked it. No boxes came up to click okay so I just closed the program by clicking the x in the top left corner.

I rebooted as instructed, and had to disable AVG again as more than 15 minutes had passed. I also checked the icons on my task bar to be sure spybot was not running in any form. I knew the firewall and AVG were off because of the security alerts.

When I ran the DSS.scr, a double dotted line appeared 3/4 of the way across the box. Then a cursor appeared on the next line. Nothing else happened. I left it open for 15 minutes even though it was supposed to take no longer than 3 minutes. No log report ever popped up. Additionally, the DDS would NOT close no matter what I tried (including task manager). Also, my computer would not shut down normally with it running and I had to turn the computer off at the botton and restart to get the program to close.


Then I downloaded and ran Defogger to disable Cd emulation programs, evidently nothing was found since it did not ask me to reboot.


Then I downloaded and ran GMER I received a warning that it had found system modification caused by root kit activity. I clicked OK and Saved the log as ark.txt as requested.

I am attaching it to this reply. I'm sorry it was the only requested log I was able to create for you, so am also attaching some other recent logs in hopes they will help, too. All of these logs were created since the problem began and I first contacted Microsoft about it, hope they help. Many, many, thanks oneof4.

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 AM

Posted 28 March 2011 - 05:37 PM

Hello mrsbullwinkle
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

Lets see if some of our tools will run in Safemode. Download the following Tools then boot into Safemode and see if they will run.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


Things to include in your next reply::
Where You able to run the tools in Safemode?
TdssKiller log
OTL.txt
Extra.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 AM

Posted 30 March 2011 - 08:18 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 mrsbullwinkle

mrsbullwinkle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 April 2011 - 03:13 PM

Many thanks, but I fixed it just before I got the email with your reply. I downloaded the latest version of DoctorWeb. It fixed most things on the first scan, but asked for permission to reboot and try to fix the rest of the problems as it booted and it was successful. I have updated and browsed successfully. Many thanks.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 AM

Posted 02 April 2011 - 03:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users