Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix Stall


  • This topic is locked This topic is locked
68 replies to this topic

#1 MagsMcKinley

MagsMcKinley

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 01:23 PM

I have been working on a client’s computer. I was instructed by an Experts Exchange Genius to run ComboFix. It has stalled and ComboFix failed to install the Recovery Console. It is also now stuck at the beginning of AutoScan, which has been for over 15 hours. It has not gotten to the “ComboFix has changed your clock settings” screen yet.

I am working on her computer remotely and am beginning to feel uncomfortable running such an intensive program without it in front of me. Especially since ComboFix needs to disconnect from the internet to run.

What is the next step since ComboFix is stuck?

Do you recommend me running it remotely?

The person asking me to run ComboFix has not responded yet. I appreciate all your help, thank you!

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 01:28 PM

Hi there,

What a pickle! :blink: Are you still connected to the client computer? If so, can you simply X out of ComboFix?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 01:50 PM

No since ComboFix disconnects from the internet and is stuck. I can have her do it though.

What about my other questions?

What is the next step since ComboFix is stuck?

Do you recommend me running it remotely?

and

ComboFix failed to install the Recovery Console...should I do it manually?

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 02:11 PM

Hang on there....we have to get out of ComboFix before we can do anything, right? :thumbup2: Go ahead and ask her to X out of ComboFix. Don't worry about the Recovery Console for now. Can you please tell me what problems she's having and what else you've done so far? Then we can go forward. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 03:20 PM

She clicked the x to close ComboFix...said something about still needing to finish but if you want to end, click end now. Now here computer will do nothing and she can not go to her start menu to restart her computer.
What next?

I am preparing what I have done so far and will send that ASAP.

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 03:48 PM

Do a hard shut down then, then restart.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 03:49 PM

Please reply to my last post first, I would greatly appreciate it! :thumbup2:

Here is my combined logs to Experts Exchange:

I have a client who was infected with the Windows XP Recovery Virus. She ran the program, thinking it was legit, until it asked her to pay. She then called me.

I could not log on remotely so I had her reboot in Safe Mode with networking. I was then able to get in. We did a system restore that was successful.
Noticed some icons on her computer were opac, they did clear after I did the following:

Ran CCleaner
Deleted temp file with %TEMP%, Was advised that I shouldn't have done that
Ran RKill, then Rogue Killer
Updated and Ran Malwarebytes - attached is log
Updated and Ran SuperAntiSpyware - found nothing
Ran TDSSkiller
Updated and Ran HitmanPro - found nothing
Security Services was disabled - enabled and started
Restarted computer ran CCleaner again, thought we were good to go.

Windows update needs to run SP3 but I am waiting until she can back up her computer.

The next day she tried to open her biofeedback program and AVG stopped another attack as she was trying to start it – attached is log. I was researching the viruses found and it seems like she may have been re-infected because a virus may have been residing in one of the restore points.

When she tried to open her biofeedback program she got an error message that access is denied. She doesn’t want to continue opening the program for fear of infection.

Per advise I ran Trend Micro HouseCall, F-secure online scanner (found and deleted some spyware), but when I tried to run Kapersky's online scanner I got the error message - ERROR: License has expired, AVG was turned off.

I had to manually uninstall AVG for ComboFix to run.

ComboFix made a new restore point but was unable to install the Windows Recovery Console. It has now been stuck at the beginning of AutoScan, which has been for over 22 hours.

Attached Files


Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#8 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 03:50 PM

Thanks...will do, I will then remotely connect.

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 04:02 PM

When you get there, I would recommend a simple DDS log before you try anything else. If you'd like continued help, I'll be happy to see it through. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 04:30 PM

That would be awesome :thumbsup:
Your site says to run the DDS scan while not connected to the internet. I already sent the file over to her computer...do I have to disconnect our remote connection and take her off line?

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 05:02 PM

No no! You can run it while connected....no worries there. To be honest, I'm not really sure why the tutorial recommends it. Never seen that. Post it when you're ready. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 05:39 PM

Well no log coming...clicked to close DDS so I could run Rkill in case something was interfering and her computer froze. Should I run Rkill first or in safe mode? What might be going on??

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 09 June 2011 - 05:46 PM

Don't run anything. Restart the computer, reconnect, and get that report for me. That's most important so we know exactly what's going on, and a much better idea of how to fix it. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 05:50 PM

It's not giving me a log...I waited 15 mins

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 


#15 MagsMcKinley

MagsMcKinley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boulder, Colorado
  • Local time:09:02 AM

Posted 09 June 2011 - 05:54 PM

I'll try again

Mags

 

"Celebrate What's Right with the World!" ~ Dewitt Jones

"Data that you don't have at least two copies of is data that you don't really care about" ~ Unknown

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users