Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After running combofix cannot freeze on login screen


  • This topic is locked This topic is locked
9 replies to this topic

#1 pinoyako

pinoyako

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2011 - 10:12 AM

I hope everyone is having a great day. Unfortunately, I am not. Last night a friend of mine ask me to take a look of his netbook. Power it on and logon to the OS and after couple of minutes. One application that claiming that system has a virus and needed to fix right away. We all know that this kind of application is really not real and just plain virus/malware. So, I decided to goto this site and download combofix and run the application. After 1 hour of scanning and stuff, combofix just hangs on "Scanning for infected files.. This typically doesnt take 10 minutes. blah, blah, etc". It just freeze there and nothing. So, I decided just to hard power the netbook. After couple of minutes I tried to power the pc again. And now just hangs on login screen mouse is not moving, I cannot login whatsoever, also I tried in Safemode same result. Would the combofix cause corrupt the OS? I mean, its nice if can fix that freeze problem. If not I am planning to borrow from a friend with a external CD to re-install the XP Professional. Just wanted to see everyone comments. Thank you.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 pinoyako

pinoyako
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2011 - 03:24 PM

Any suggestion?

#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,782 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:11:33 PM

Posted 27 August 2011 - 06:41 PM

I have posted and requested for someone from the malware team to take a look. Please be patient, thank you.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 pinoyako

pinoyako
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2011 - 09:19 PM

Thank you for the response.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:33 AM

Posted 29 August 2011 - 02:24 PM

Please restart your computer and tap F8 until the Advanced Boot Options menu comes up. Select Last Known Good Configuration. Can you boot this way?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 pinoyako

pinoyako
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 29 August 2011 - 05:46 PM

I did that way. It still goes to freeze on login.

#7 zordon

zordon

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 29 August 2011 - 09:11 PM

I noticed this problem two weeks ago with one of my test machines. I infected it with the new Zero Access rootkit and it infected the i8042prt.sys driver for Windows. i8042prt.sys is a default Windows driver that controls your mouse and keyboard. If this driver gets corrupted or removed, your mouse or keyboard would not work. It will make your computer appear to be frozen at the login screen (or at your desktop if you didn't have a password). I have a feeling that your friend's computer had a infected i8042prt.sys driver and Combofix was in the process of replacing it when you turned the computer off. Hopefully, if you installed the Recovery Console, you can just replace.

1. On startup, choose Microsoft Windows Recovery Console
2. Wait until it loads, choose your windows installation. For most, just press 1 then Enter.
3. Then type:

EXPAND "C:\WINDOWS\DRIVER CACHE\i386\sp3.cab /F:i8042prt.sys C:\WINDOWS\SYSTEM32\DRIVERS /Y

If the above didn't work, you're going to need the Windows CD.

On this PC, the DVDROM was on D:
EXPAND D:\I386\I8042PRT.SY_ /F:i8042prt.sys C:\WINDOWS\SYSTEM32\DRIVERS /Y

4. Type "exit" to reboot.

Posted Image

This person had the infection I'm referring to:
http://www.bleepingcomputer.com/forums/topic414845.html/page__st__15

Edited by zordon, 29 August 2011 - 09:43 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:33 AM

Posted 30 August 2011 - 05:57 AM

If this file is indeed the cause (which is not sure0, it can indeed cause this problem. However, blindly replacing the file will not make much sense, as 1) we are not sure this is the affected file and 2) we are not sure where the replacement files are located. For that reason lets see if there are any affected or missing drivers.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review


Next, using xPUD browse to /file/mnt/sda1/documents and settings/<your username>/Application data/malwarebytes antimalware/Logs
In that folder, look for the most recent log file and copy it to your usb drive (right click the file and select Copy, then navigate to your USB drive, right click in an empty space and select Paste). Post the log for my review.

I will move this topic to the malware removal forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 pinoyako

pinoyako
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 August 2011 - 06:57 PM

I got this fix. I just download Hirens BootCD-14 0-Restored Edition and then use the Gateway System Restore. In that way I didn't to re-install the whole OS and waste alot of time. Thank you guys for the help.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:33 AM

Posted 31 August 2011 - 02:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users