Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post ComboFix disaster


  • Please log in to reply
6 replies to this topic

#1 Capicola

Capicola

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 17 March 2012 - 02:03 PM

Got a call from a new client. He had someone work on his machine, Acer tower running Windows XP Media Center. The person ran ComboFix, supposedly created the restore point during that. Since ComboFix completed, attempts to start system come to an NT login screen asking for passowrd. This was a single user system that booted straight to the desktop. Owner advises never had a password. I made one attempt to reset pasword using Hiren's Boot CD with no success. Attempts to start in safe mode hang right after it reaches the point of loading the AGP sections. Any help will be appreciated.

Edited by hamluis, 17 March 2012 - 03:15 PM.
No logs, moved from Malware Removal Logs to Am I infected.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:56 AM

Posted 17 March 2012 - 03:26 PM

If you have CF log, I suggest you submit it...along with other requested logs...following the directions at Preparation Guide Before Using Malware Tools .

Your topic has been moved because it does not reflect any of the appropriate malware logs...I have also listed it on our internal list of systems which are unbootable due to malware. Someone will attempt to assist you shortly.

Louis

Edited by hamluis, 17 March 2012 - 03:27 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:56 PM

Posted 19 March 2012 - 02:36 AM

Try and see if the administrator account still works (username administrator, password administrator).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Capicola

Capicola
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 19 March 2012 - 06:18 AM

Now when I start the machine, it is in an endless reboot loop shortly after displaying the "loading Windows" screen. I booted up from CD using Hiren's Boot CD, and checked for the ComboFix.txt log under C:\ and do not see anything. All the Windows, Users and other folders appear to be intact on the drive. I have backed up all of the owners data files under My Documents, etc. Spoke to the owner, who recalls the person who did this also ran various tools prior to ComboFixperAn, including AMB, SuperAntiSpyware, TDSSKiller and possibly more. He says the machine successfully restarted after each one until the guy ran ComboFix. I do see a TDSSKiller log file dated 3/17/2012, which shows that there were 0 detected objects, and there is a Qoobox folder dated 3/15/2012 with Registry backups folder in it. Is there a way to restore to before Combofix was run?

Please advise of the next step I can take to help you in this disaster!

Edited by Capicola, 19 March 2012 - 06:28 AM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:56 PM

Posted 19 March 2012 - 08:45 AM

Lets see if there is a BSOD code that can help us. As a general note, not a good idea to run combofix unsupervised, as you can see, when something goes wrong, its handy to know first how to recover from that. :)

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Capicola

Capicola
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 19 March 2012 - 10:50 AM

I already knew it was not good to run ComboFix unsupervised, been doing this for over 30 years now. Sadly the 20 year old "technician" that my client first used apparently did not!

Thank you for the assist, problem has been resolved by customer giving me the go-ahead to copy off their data files, wipe the hard drive and put Windows 7 Professional on the machine! Wishing you a great day!!! Cappy Cross

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:56 PM

Posted 19 March 2012 - 10:53 AM

Thank you for the note, glad to hear things are running well again. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users