Help!!! ComboFix is still running!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by archp2008, Apr 16, 2008.

  1. archp2008

    archp2008 Private E-2

    I need help in uninstalling Combofix manually using Regedit. I had help using combofix before but the person helping me did not uninstall it completely. The person assisting me said to rename it to combo-fix (with a hyphen). Run Combofix /u or run combo-fix /u never did work. I would at least like to get rid of the delete /f /s /v index.dat that runs on each shutdown and adds to an already very slow shutdown. :(
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'm sorry ....but who was it that was helping you? This would appear to be your first post at MG's. I'm confused. :confused
     
  3. archp2008

    archp2008 Private E-2

    I actually installed two combofix versions. One unsupervised and the second (which uninstalled) supervised. I would have to check to find out the forum for the latter. She just told me to get rid of the old combofix, which I diidn't know how, then she told me to simply delete the old folder completely. I didn't realize the first time that the file was only allowed to be run supervised - just didn't read all the thread. I guess this has happened before to some people. thanks for any suggestions.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    She who? On this site?

    Was ComboFix installed on your desktop?
     
  5. archp2008

    archp2008 Private E-2

    I can give you the thread later. I have a multiboot setup and the email client is on the main partition. She was from another forum. She spent a lot of time trying to help me. At the end she pleaded lack of expertise in the area of my original problem (system event errors). In the end I fixed those problems myself. I dis start a new thread on the same forum but nobody answered. So now I'm trying to find a forum that answers me, and I do appreciate your reply, even though I got myself into this mess through my own initial carelessness. I am wondering if there is not a tendency to "walk to the other side of the street," when finding someone who has got himself into a mess by running combofix without proper supervision. I didn't really know when I did this that it was something not to be done on your own. Now I have the problem of having it installed without the folder. The only thing I have is a copy of the folder listing (text). I can paste that in if you think it may help. Regards.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The best way for me to see what is going on is to:

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
  7. archp2008

    archp2008 Private E-2

    Yes, another version of combofix was installed on my desktop. There is a five page thread on another forum that I can give you the link to if you wish, though I sort of feel that it would be a breach of professional ethics to point to the individual who tried her best to help me.
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then can you not just right click the desktop exe and delete it? I would still like you to do the Read and Run first and attach the requested logs.

    I don't need to know who or where...since it was not here. :)
     
  9. archp2008

    archp2008 Private E-2

    Thanks for the reply.

    Yes, the combofix and combo-fix executables are long gone from the desktop as well as the two combofix file folders. The only thing that I am concerned about now is that the index.dat file continues to be deleted on each shutdown. Perhaps that's not a bad thing, is it? It only delays shutdown some 10-15 seconds at the longest. I'm just ignorant of what Combofix does and, knowing that this delete batch file that continues to execute, I don't know what else associated with combofix may be running as well.

    Trying to uninstall Java there were only two updates there. I clicked to remove one and it switched from Programs Add/Remove to Windows Add/Remove window and seemed to uninstall IIS. It seems to be installed with the check box greyed out. Now there are no Remove buttons next to either of the two Java updates that are listed in Add/Remove programs, so I don't know how to uninstall them.

    Must I uninstall all p2p software that's on there even though it is not running? Limewire and utorrent and possible Shareaza are there, of course, but never running.

    Thanks again.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Unless you are willing to do the Read and Run First instructions and attach the requested logs, this is fruitless.
     
  11. archp2008

    archp2008 Private E-2

    The remove button was missing from the add/remove programs list for Java updates 2 and 3. I uninstalled them using a 3rd party uninstaller. I am about to reintall it now. I assume p2p networking means everything associated with p2p.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some P2P is worse than others...you can always reinstall it later or skip it for now and do the rest.
     
  13. archp2008

    archp2008 Private E-2

    Yes, I understand. Actually, I have uninstalled them all. I had a ton of Adobe Programs that were evidently left over from a CS3 uninstall. I uninstalled all of them. Unfortunately, I have way too many programs installed, sort of like old clothes that I don't want to throw away. I'm a pack rat. I tell my wife to give my old clothes to charity and not bother to tell me because it would bug me. If I were to uninstall all the programs I haven't used in this past month it would be 95% of what's on there. Lately I have been spending most of my time with multibooting including Linux. It may take me awhile to finish all the cleaning recommendations.
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    When you get the logs we can begin.
     
  15. archp2008

    archp2008 Private E-2

    I'm still working my way through the Read Me guide. Some of that stuff is good. I managed to get Spyware Doctor to remove a high threat virus that was not detected by Avast. I'm at the point now where is says to run startup in normal mode. This checked off all the old stuff in msconfig that I had unchecked, some of them perhaps are there more than once. I got three of four errors here. First it said access denied in changing a service (no service named). When it restared I got access violation in aacenter. I also got three of four security programs to load that I had opted in msconfig not to start including tea timer which drives me nuts wanting permission to change more than a dozen registry entries. I noticed Registry Expert came up and I did run that since it's been some time. The good part was that the shutdown (ironically) was faster. There were one or two other errors that I can't recall. Do I have to use normal mode and uninstall all the (good) stuff that I prefer not to have running? How am I to ascertain which Windows service wouldn't start?
     
  16. archp2008

    archp2008 Private E-2

    I had a lot of trouble getting my sysem back the way ti as after attempting to start in normal mode. It is the first time I have read a clear explanation fo msconfig and the why it should not be used as a long term solution to control programs. I likely have a few bad uninstalls over the past months. Some of the programs that I have turned off in msconfig, I will probably uninstall; although not all of them are listed in add/remove programs, so I may have trouble trying to fingure out the uninstall procedures. for example for motherboard utilities. Others I will attempt to turn off within the program settings, but they seem to have a way of turning themselves back on. It may take awhile. Is there a way to completely delete items for uninstalled programs from the msconfig listing?
     
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The instructions tell you to do them in normal msconfig ....we need to see what is there....please just run the scans and attach the logs ...we can "discuss" other issues later.
     
  18. archp2008

    archp2008 Private E-2

    I got ahead of myself and forgot to scan all drives. I will do all other drives now.
     

    Attached Files:

    Last edited by a moderator: Apr 19, 2008
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  20. archp2008

    archp2008 Private E-2

    Here is the full log. There was a no disk error at the end. I forgot to unplug my iPod. Also, I have been having problems with one disk or the other not being detected on bootup today.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/19/2008 at 10:17 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3442
    Trace Rules Database Version: 1434

    Scan type : Complete Scan
    Total Scan Time : 01:46:55

    Memory items scanned : 467
    Memory threats detected : 0
    Registry items scanned : 7039
    Registry threats detected : 0
    File items scanned : 106809
    File threats detected : 0
     

    Attached Files:

  21. archp2008

    archp2008 Private E-2

    Spybot run
     

    Attached Files:

  22. archp2008

    archp2008 Private E-2

    I will be out of town for the day. Thanks very much for your help. Will continue this evening or tomorrow.
     

    Attached Files:

  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    MGLogs.zip will tell me what else is going on.
     
  24. archp2008

    archp2008 Private E-2

    combofix log
     

    Attached Files:

    • log.txt
      File size:
      34.8 KB
      Views:
      2
  25. archp2008

    archp2008 Private E-2

    mglogs
     

    Attached Files:

  26. archp2008

    archp2008 Private E-2

    Ewido log (tracking cookies only)
     

    Attached Files:

  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please tell me exactly what problems you are having now, if any. :)
     
  28. archp2008

    archp2008 Private E-2

    Well, first of all, I would like to say that I do appreciate very much this exhaustive cleaning regimen that you guide me through. It was good to see the various items quarantined. It may have shortened my shutdown time a bit (10-15 seconds) but it still approaches the two minute mark. Oridinary operations like explorer functions are noticeably snappier than they were a day or two ago. That being said, the original issue that I mentioned, the del /f /s /v index.dat file that runs at shutdown does continue to run at that time. Being that this began around the time I installed the first combofix on my own, I have been assuming that it is related to Combofix. The person who helped me clean my machine just previously (when I was having event viewer system errors) that were sometims associated with crashes and BSOD's indicated to me that this file was supposed to run the first time combofix is run, but not after it is uninstalled. Looking in my Sytem Event Viewer files now, I notice that there was a very long string of errors at exactly midnight last night (00:00:00). I think this is when I returned from my road trip and booted up in normal mode and all those programs that I don't normally permit to run tried to start up. When I use my specified startup list, I get essentially no event system errors. So I understand that I should be concerned about not being able to start in normal mode. I took digital camera pictures of 5 or 6 of the errors that appeared on the screen when I ran in normal mode the first time. The scond and third times there were fewer screen messages The explorer screen was the last thing that appeared. Pleae let me know what to do next. I am currently using msconfig to disable many programs. I can hit prtscrn and copy the images of the msconfig listing now. It took four captures to show them all.
     

    Attached Files:

  29. archp2008

    archp2008 Private E-2

    last two
     

    Attached Files:

  30. archp2008

    archp2008 Private E-2

    I forgot to point out that sometimes XP doesn't shut down at all - just hangs on "Windows is shutting down" interminably. and this is still happening. After posting the last message, I tried to shutdown but waited ten minutes and had to power off. I ran chkdsk afterwards. As far as getting in and out of safe mode is concerned, I have to be prepared for a long, long wait and frequently can't exit safe mode at all.
     
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Msconfig is not supposed to be used for stopping startups....it is for diagnosing issues.

    You may wish to use a Startup Manager

    You have a lot of things running that are unnecessary. And the Hide my folders program will not let me see what all is there in your add/remove programs list or the GetUnKeys log.

    Tell me what these are, please:
    C:\Documents and Settings\Arch Parsons\Local Settings\Application Data\Martau
    C:\Documents and Settings\Arch Parsons\Local Settings\Application Data\MigWiz
    C:\Documents and Settings\All Users\Application Data\Martau

    Now use windows explorer to find and delete:
    C:\Documents and Settings\Arch Parsons\My Documents\ComboFix.exe
    C:\grldr
    C:\QooBox


     
  32. archp2008

    archp2008 Private E-2

    Thanks for the reply.
    I kind of knew that msconfig was a last resort, but a lot of poeple on the Net do recommend its use and I have been following bad advice for a long time. In the meantime it is dfficult to figure out how to stop some programs from starting at bootup and others go back there when upgraded. A number of security programs i(CLeaner is one, I think) include startup managers of sorts. It wasn't appartent to me that a startup manager would do anything that msconfig wouildn't do. What are some of the programs that you would stop from running or uninstall? What would you like for me to do with XPHideFolders? I could temporarity uninstall it and/or disable it for a given length of time if that would help. I had no idea what these names were until I did a file search. Martau is the company name that makes YourUninstaller which is a nice program to use when there doesn't seem to be any other way to uninstall a program. It turns out that Migwiz is an XP file transfer wizard. I do have a copy of the xp cd copied to drive C. I have deleted the files you listed. I have not had a problem with the computer not shutting down since. You haven't commented on that windows cmd file that runs at shutdown...
     
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, I don't think it has to do with ComboFix...but probably some other program trying to clean up at shut down.

    Do disable/uninstall the file blocker because you have items that appear as though they may have been at one time installed but may no longer be there which I could only tell if I had the installed program list.

    Plus as far as the start up items...you could either give me a list from a startup manager or post in the software section and they will help you with that. (You do have an awful lot of items installed and running).

    I would need a new MGLogs.zip with the uninstall list.

    Please explain this --- do you mean you have the recovery console installed? Or do you mean you have a Virtual Machine installed?

    Do you mean the script is not running now on shut down?
     
  34. archp2008

    archp2008 Private E-2

    Thanks again for all your interest. OK on the batch file not being related to combofix. I should be able to narrow it down based on program installation dates. I won't make any personal comments on the hide folders thing except to say that no attempt was made to hide any programs (only files). If shutdown problems or lack of functions seem to continue to be an issue I will, as you suggested, post a new thread to the software forum regarding shutdown issues, etc. I doubt if repeating the MGLogs thing will make a difference, but I could certainly do so. As far as the XP cd is concerned what I mean is I have simply copied the contents of the cd to the hard drive. I think this was suggested in creating a Bart recovery disk. I find it convenient because I can browse to it instead of searching for the physical cd to put in the drive. I do have recovery console enabled for the main xp partition which is the one with all the programs. When I said I have not had a problem with the computer not shutting down completely, I meant that It has not taken more than two minutes before going silent. I haven't been forced to turn the power supply switch off. Actually, at this moment I am achieving a shut down time of only 25 seconds, but this is by following Microsoft's instructions for running a clean boot. I say "attempting" because I got the message, "Acccess denied in attempting to change a service." You would think that M$ would at least name the service that is being denied access. By looking in Event Viewer I can see a bunch of access denied errors, so I guess I can tell which services were involved by examing each of those system logs. I have the antivirus startup file added to start programs. The Internet still works. What other problem/s am I likely to encounter other than the access denied events that I don't need to look at anyway? Would you believe that I tried a few more freeware programs today? One is called mscofigcleanup and physically deletes unwanted listings in msconfig. Another is called Autoruns which lists every single driver and gives you the option of learning its function and deciding whether or not to load it. A ton of work, but perhaps something that could be useful. I spent an hour ro so trying to disable various programs. It seems though that if any M$ files are disabled it causes loss of function. It just takes awhile before you find out which function is gone.
     
  35. archp2008

    archp2008 Private E-2

    The first attempt to post failed for some unknown reason. A few comments were missing in the second post (30 seconds later). I have no idea what happened. I don't think the missing comments were important. Is there an "auto-censoring process? :) Thanks again
     
  36. archp2008

    archp2008 Private E-2

    I had a closer look at the bunch of system event errors in Event Viewer. They were six consecutive occurrences of the same error, "The ScRegSetValueExW call failed for Start with the following error:
    Access is denied." Error number 7005. Not much help to me in diagnosis. I did (try to) change some registry values manually following a page on shutdown problems, but I didn't think there were as many as six. I don't know if that was related or not. Probably not.
     
  37. archp2008

    archp2008 Private E-2

    Good News! I went back into Msconfig and turned back on WIN.INI, SYSTEM.INI. Load Services, etc. and my important startup programs, then I tried shutting down a few times and it's still shutting down very fast - less than 30 seconds. Actually as soon as it reads, "Windows is shutting down," it goes off. That's including 5-10 second for the delete index.bat file. I'm pretty satisfied with that. What do you think changed?
     
  38. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You had a lot of "stuck" things in your msconfig......and there were items that probably need removing from HJT log...but not seeing your installed programs, it was hard to tell what was a left over from a previous uninstall or not. But if your good....good.:)
     
  39. archp2008

    archp2008 Private E-2

    Strangely, just as the shutdown time was decreased and stayed short for some time, it suddenly increased again to the usual 2 minutes. The only thing I remember doing was to boot into a Vista partition and then go back and boot into the XP partition. I tried repeating the clean boot sequence but it did not work the second time. Shut down time is not a major issue, just a minor annoyance when frequent restarts are needed.
     
  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just for a test..try doing this:

    1. Create a shortcut (Right-click on desktop, select New > Shortcut).

    2. For location, type the following:

    shutdown -r -t 0

    3. Click Next, enter a name for the shortcut ("Restart" is appropriate), and click Finish.

    When you click your Restart shortcut, Windows XP will reboot *automagically*!

    The "-r" switch tells XP to reboot. If you'd like the shortcut to shut off your PC instead, change it to "-s"; to simply log off, change it to "-l". The "-t 0" sets the timeout (in seconds), so up this value if you find the need for it. To force running applications to close, add "-f" -- be careful with this one!

    For more information on Shutdown, type "shutdown" in a command prompt window (Start > All Programs > Accessories > Command Prompt), or search for Shutdown in Windows XP's Help and Support Center.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds