Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Effects of Combofix and issue with Java Webstart


  • Please log in to reply
11 replies to this topic

#1 numach

numach

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 PM

Posted 30 May 2017 - 09:40 AM

Hello all,
 
I'm not sure if this is the best place to post this but I couldn't find another forum I thought seemed better...
 
That said, We have an interesting issue at my office involving PC's that we've use combofix on... 
Over the years it's been a great tool in helping with malware related matters and we were even using it as part of routine maintenance scan at one time on our computers but recently we've discovered a problem which affects any PC we run it on whether it finds anything on the system or not (we've tested with brand new PC's with fresh Windows 7 installations in addition to errant PC's).
 
We use Oracle to manage the company's assets and are in the process of moving to version 12c and we will be utilizing Java webstart with it (so we are no longer browser dependent for the Oracle Forms). Any computer that has had combofix run on it seems to no longer be able to have Java/webstart applications communicate to externally to the system or other apps anymore.  In particular we have an Oracle Form using the 'web.show_document' function call to open a PDF report which is sent to the system's default web browser initially and opened.  We've also tested this function call simply having it open Google as well - no go.
 
Any computer that has *not* had combofix run on it works just fine (browser opens right up to whatever page or link we send to it) but as soon as we run combofix (even if nothing is found) the system will no longer work properly and this function call will no longer be able to pull up anything.
 
Right now the only solution we've found is to reinstall Windows - system restore to a time before CF was ran does not work, completely clearing out the Java installation (registry entries and all) and reinstalling does not work nor does anything else we've tried.
 
I have about 50 computers between sites in 3 states that are going to need this corrected and having to back up each one's personal files, reinstall Windows (including drivers and ancillary software if we don't have an image already made for the machine), set the system back up for use on our network and then restore the user's files takes a long time... and to have to do that for this many machines is not only difficult but I also have to plan trips to these sites and may very well run out of time depending on how long things take - I can only guess when I make my plans.
 
Does ANYONE on here have any idea what exactly combofix changes on the system that might affect this and potentially fix that so what I'm talking about works again?  This would save me a boat-load of time and work if so!  I have to leave for Texas to service about 15 of these machines in the next few weeks so I am hoping to figure out something better and much more time-efficient before then.
 
Any help is appreciated - thanks in advance!


Mod Edit .... Moved to Antivirus Tools ~~ boopme


Edited by boopme, 30 May 2017 - 10:12 AM.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 PM

Posted 30 May 2017 - 05:58 PM

Check that the file association for JNLP files are set to open with Java Web Start.

 

In the Bleeping Computer review of ComboFix, there is a warning included...

 

BleepingComputer Review:

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 PM

Posted 31 May 2017 - 04:41 AM

Just FYI...Combofix was never meant to be used as a general purpose malware scanner like Malwarebytes, Zemana AntiMalware, SuperAntispyware, AdwCleaner, etc which scan individual drives, different folders, the registry, etc on a computer for malware nor was it designed to be a remote support tool, though many use it as such....see the ComboFix usage, Questions, Help? - Look here.

If you need to report a problem with ComboFix, you can contact the developer (suBs) by posting a topic at Tech Support Forum. sUBs will need to see the ComboFix log so he can investigate...be sure to include the ComboFix log in your posting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 numach

numach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 PM

Posted 31 May 2017 - 09:43 AM

Check that the file association for JNLP files are set to open with Java Web Start.

 

In the Bleeping Computer review of ComboFix, there is a warning included...

 

BleepingComputer Review:

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.

 

JNLP files are associated properly... the app itself launches just fine.  So far only the function call I mention has the issue but it's a serious one as it's used by Oracle Forms extensively to call the hundreds of reports everyone generates everyday.

 

Beyond that we of course have to worry about anything we simply haven't come across yet being affected (we have not extensively tested the entire system yet as some of it is still being ported from version 11).



#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 PM

Posted 31 May 2017 - 01:03 PM

I read one article on Oracle's site that mentioned adding the form server site to the list of Trusted Sites if the web.show_document issue is happening in Internet Exxplorer.

 

Otherwise, I would start looking at logs to see if there are any clues as to why it's failing.



#6 numach

numach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 PM

Posted 01 June 2017 - 08:35 AM

I read one article on Oracle's site that mentioned adding the form server site to the list of Trusted Sites if the web.show_document issue is happening in Internet Exxplorer.

 

Otherwise, I would start looking at logs to see if there are any clues as to why it's failing.

 

It's happening with all browsers - tested with IE10 and 11, Firefox versions 48 and 52 and Chrome (most recent release).  We also have the forms server address in trusted sites for IE.

 

It's so strange... the actual Java application runs just fine, but when using web.show_document the call to the external browser on *any* computer (that has had combofix run on it previously) just seems to be ignored by the OS.

 

I'm scratching my head.  Hopefully I'll find an easy solution but if CF has changed how files and functions are working internally on the OS itself in this manner I'm thinking maybe it's best to just reimage the affected systems anyways as there is no telling what other deep changes have been made that may affect something else later as well.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 PM

Posted 01 June 2017 - 11:09 AM

ComboFix is probably removing something related to Java Webstart causing an issue with web.show_document the call to the external browser. Without anyone looking through it's log, it is going to be difficult to determine what that detection is.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 PM

Posted 01 June 2017 - 02:17 PM

You might try setting up a fresh image on a VM with web.show_document working, run ComboFix, and see if it breaks.

 

Then you'll have a ComboFix log to check.



#9 numach

numach
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 PM

Posted 01 June 2017 - 02:39 PM

You might try setting up a fresh image on a VM with web.show_document working, run ComboFix, and see if it breaks.

 

Then you'll have a ComboFix log to check.

 

I have done just that.  After going through the log all I can see are reg entries that are still there in the registry when I check. :-(



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 PM

Posted 01 June 2017 - 03:14 PM

sUBs may need to have a look. For all we know someone else may have experienced the same problem and reported it to him.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 PM

Posted 01 June 2017 - 04:16 PM

While you're wait for a response from sUBs, you might try this solution using the Windows Event Log for tracking changes to files...

 

https://community.spiceworks.com/topic/363079-using-event-viewer-to-track-changes-to-files

 

The description of Security Events in Windows 7/Server 2008 R2...

 

https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2

 

Another way to monitor what ComboFix is doing (might be easier) is using Sysinternal's free Process Monitor.

 

https://technet.microsoft.com/en-us/sysinternals/bb896645

 

Create a filter for ComboFix and run Process Monitor when running ComboFix.

 

There is a logging feature. Turn it on by clicking on File > Backing Files.... There will be two options: Use virtual memory (which is the default), and Use file named:.

Click on the Browse button (the one with 3 dots) and it will take you to the folder where Process Monitor is installed. Enter a file name. It will automatically be given an extension of .PML. Click Save.

When Process Monitor is restarted, check that File > Capture Events is checked. It will log everything within the filter criteria that has been set up (default filters are fine for now).

Anyone with Process Monitor will be able to use it to open the .PML file and view it as if it were on their system.


Edited by jwoods301, 01 June 2017 - 07:38 PM.


#12 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 PM

Posted 02 June 2017 - 02:42 PM

An example of Process Monitor filters I created to track what CCleaner deletes from the file system and registry...

 

https://www.dropbox.com/s/nmfe9n0wq6rmuhg/Process%20Monitor%20Filters.JPG?dl=0


Edited by jwoods301, 02 June 2017 - 02:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users