ComboFix reports "comres.dll" is infected & "axaltocm.dll" file reappears

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by krellkraver, Oct 20, 2009.

  1. krellkraver

    krellkraver Private E-2

    Hello,

    Last week, on an AMD Athlon 2200+ based PC running Windows 2000 Pro I was seeing numerous symptoms including being unable to run Internet Explorer-based Windows Update or Microsoft Update, and not being able to run the Add/Remove Programs component. Attempts to do these tasks would result in a non-responsive window which if hovered over with the mouse pointer would turn the pointer into the hourglass icon. Interestingly, Task Manager did not show these windows as "Not Responding" so they weren't typical "freezes" or "hangs", but they could only be closed by killing the respective process.

    Having had good success with the READ & RUN ME FIRST, Malware Removal Guide in these forms in the past, I started the same procedure. Both SAS and MBAM found no infections, but while running ComboFix, just after the "Completed Stage_50" message, the message "System file is infected !! Attempting to restore C:\WINNT\system32\comres.dll" was displayed.

    ComboFix then said it would reboot, but after the restart, a window appeared for which I didn't write down the details verbatim. It was some kind of announcement that the system was shutting down in 60 seconds due to something resulting from lsass.exe. At the end of the countdown, the computer restarted again, but then would arrive at a blank desktop and not progress any further. The mouse pointer would move, but the system did not respond to any clicking (left or right), and CTRL+ALT+DEL did nothing.

    To recover from this, I had to boot to Recovery Console and use the "batch erdnt.con" command. Once I could boot normally, I tried ComboFix again, with the same result.

    I decided I would post in these malware forums and collect log files, but I did not get to this task until the last couple of days. Between last week and now, I also tried several other malware detectors, including Spybot S&D, Hitman Pro, and Lavasoft Ad-Aware. Most came up empty, but Lavasoft did remove something, although it wasn't "comres.dll".

    In fact, I have searched all the drives attached to this PC, and I have never found a single instance of a "comres.dll" file at any time (including searching among hidden and system files).

    When I started to re-run the READ & RUN ME FIRST, Malware Removal Guide steps starting yesterday, ComboFix now would no longer hang at the blank desktop, but some other strange behavior occurred that may have been related to not having a large enough swap file and registry space (somehow these settngs were corrupted). I've since corrected registry space and swap file settings, and have re-run ComboFix a number of times. The "comres.dll" error always remains, and the "axaltocm.dll" file seems to intermittently return. I'm not sure whether the change in ComboFix behavior is due to newer versions of the software or due to the files that Lavasoft Ad-Aware removed.

    The good news is that the IE Windows and Microsoft Update and Add/Remove Programs symptoms seem to be fixed now. But I'm concerned that the found issues by ComboFix do not disappear, and that the "axaltocm.dll" file periodically reappears (at least according to ComboFix, I've never actually seen a copy of this file on my own).

    I'm attaching all the log files starting with this post and continuing in subsequent posts. All recent ComboFix logs are included -- these are numbered from earliest to most recent.

    I'd really appreciate any suggestions on how to correct these issues.


    Thanks,

    krellkraver
     

    Attached Files:

  2. krellkraver

    krellkraver Private E-2

    Here are more attached log files.


    krellkraver
     

    Attached Files:

  3. krellkraver

    krellkraver Private E-2

    And the last log file.


    krellkraver
     

    Attached Files:

  4. evilfantasy

    evilfantasy Malware Fighter

    Please don't do this. We need to see the first log from each scan and only the first one unless specifically asked to run the tool again.

    Download Dr.Web CureIt and save it to your desktop.

    Scan with DrWeb-CureIt as follows:

    • Double-click on drweb-cureit.exe and then click Start
    • An information notice will appear, click OK.
    • This starts a short scan that will scan the files currently running in memory.
    • If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
    • If or when something is found, click the Yes button when it asks you if you want to cure it.

    • Once the short scan has finished, Click Settings > Change Settings
    • Under the Scanning tab UNcheck Heuristic analysis and click OK
    • Back at the main window, select the Complete scan button and then click the Green Arrow [​IMG] Start Scanning button on the right and the scan will start.
    • Click Yes to all if it asks if you want to cure/move any file(s).
    • When the scan is done.
    • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
    • Save the DrWeb.csv report to your Desktop.
    • Exit Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

    * After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
    * Attach that log in the next reply.
     
  5. krellkraver

    krellkraver Private E-2

    Thanks for your reply. Sorry about re-running ComboFix -- I didn't know that would be a problem. The first log I got from ComboFix is the file named "combofix1.txt". ComboFix was run twice before that, but neither of those runs completed to the log creation stage.

    I've run Dr.Web CureIt per your instructions and I've attached the log here.


    Thanks again,

    krellkraver
     

    Attached Files:

  6. evilfantasy

    evilfantasy Malware Fighter

    Do this please.

    You will need to have your Windows 2000 Operating System disk handy for this.

    Click start, then run.

    In the run box type sfc /scannow (be sure to include the space between sfc and /scannow)

    Let it run and let me know if it finds any errors or any messages you get.
     
  7. krellkraver

    krellkraver Private E-2

    I ran "sfc /scannow", and the progress bar went across the screen, and it seemed to complete without reporting any errors. In fact, it didn't give any report at all.

    I then restarted the computer and checked the System Log with the Event Viewer. I found these reports from Windows File Protection:

    Event ID: 64020
    Windows File Protection scan found that the system file c:\winnt\system32\drivers\sis300p.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 4.11.1.1000.

    Event ID: 64020
    Windows File Protection scan found that the system file c:\winnt\system32\sis300v.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 4.11.1.1000.

    Is it possible the infection could have been hiding in these two files? It seems strange that none of the other scans detected an infection (aside from ComboFix).


    Thanks,

    krellkraver
     
  8. evilfantasy

    evilfantasy Malware Fighter

    The Event Viewer can be very confusing unless you know exactly what you are seeing. Windows is sometimes constantly having starts, stops, errors and so on that will be seen in the Event Viewer. 99.999% of the time there isn't a problem. I don't thing those two Event Viewer entries are anything to worry about.

    Please do this.

    Please go to VirSCAN.org FREE on-line scan service
    (If more than one file needs scanned they must be done separately and logs posted for each one)

    1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
    Code:
    c:\winnt\system32\comres.dll
    2. At the upload site, click once inside the window next to Browse.
    3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    4. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    6. Paste the contents of the Clipboard in your next reply.
     
    Last edited: Oct 26, 2009
  9. krellkraver

    krellkraver Private E-2

    I tried to follow your directions to run the virscan.org scan on the c:\winnt\system32\comres.dll file, but the web page was unable to find the file. I've attached a screenshot so that you can see for yourself.

    I've tried to search for the file repeatedly from a command line using the command: c:\> dir comres.dll /a /s but I've never found anything. Yet ComboFix continued to report the file is infected.

    You don't think a somewhat modified version might have been hiding in the files that sfc scan replaced (that somehow only ComboFix was detecting)?
     

    Attached Files:

  10. evilfantasy

    evilfantasy Malware Fighter

    What I think is that is a false finding by ComboFix.

    Your logs from what I can see are clean. How is the computer running?
     
  11. evilfantasy

    evilfantasy Malware Fighter

    I've checked with the experts and this is a false finding by ComboFix.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  12. krellkraver

    krellkraver Private E-2

    The computer seems to be running well from the little I have used it. I'm avoiding using it for the most part because I'm not sure whether to trust it or not.

    Do you think the intermittent ComboFix "discovery" of the "axaltocm.dll" file is also a false positive?

    If you have no objection, I'd like to try re-running ComboFix to see what it currently says before running those clean-up steps, but I'm encouraged to learn that it is likely a false positive.
     
  13. evilfantasy

    evilfantasy Malware Fighter

    Actually after having a closer look we should run ComboFix again, only to restore the two files that it removed.

    While we use ComboFix regularly it is mainly used on XP and Vista. Windows 2000 is a bit dated so some tools will see things as suspicious or even malware when they actually aren't. If you ever get a chance to upgrade Operating Systems I would suggest doing so. Windows 2000 is pretty outdated at this point.

    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
    It must be Notepad, not Wordpad.
    2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

    Code:
    KillAll::
    
    DeQuarantine:: 
    C:\Qoobox\Quarantine\C\WINNT\system32\axaltocm.dll.vir 
    C:\Qoobox\Quarantine\C\WINNT\system32\OGACheckControl.DLL.vir
    
    3. Go to the Notepad window and click Edit > Paste
    4. Then click File > Save
    5. Name the file CFScript.txt - Save the file to your Desktop
    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    ComboFix will begin to execute, just follow the prompts.
    After reboot (in case it asks to reboot), it will produce a log for you.
    Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
     
    Last edited: Oct 26, 2009
  14. krellkraver

    krellkraver Private E-2

    I've run ComboFix as instructed and attached the resulting log.

    Thank you for all of your help, and for restoring my confidence in my computer. I agree that Windows 2000 is quite dated, and I'd really like to try Windows 7 on this computer, but I'm sure the hardware won't support it. I've been meaning to upgrade to XP for some time, but never seem to get around to it.

    Unless you have any further tasks you'd like me to do, I'll run the clean up routines you provided in your earlier post.

    Thanks again!
     

    Attached Files:

  15. evilfantasy

    evilfantasy Malware Fighter

    Check for a log in C: and attach it if found please.

    C:\DeQuarantine.txt
     
  16. krellkraver

    krellkraver Private E-2

    Here's the C:\DeQuarantine.txt file.

    I should also mention that after ComboFix was able to successfully complete running the first time (which generated the log I called "combofix1.txt") there must have been an actual problem that was fixed, because I was then able to access Microsoft Update and the Add/Remove Program features. I'm hoping that that issue was separate from these "comres.dll" and "axaltocm.dll" false positives and that whatever the problem was, ComboFix fully repaired it.
     

    Attached Files:

  17. evilfantasy

    evilfantasy Malware Fighter

    Other than removing malware ComboFix also does some things that aren't seen in the log so it is quite possible that it did fix your other issues.

    Looks like you can continue on with the final steps now.
     
  18. krellkraver

    krellkraver Private E-2

    Thank you very much for all your help! :cool
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds