Help! Combofix just stopped dead!

Hi,
I was following the procedure to run combofix. It installed the recovery console, then began scanning. It said it found a rootkit and needed to reboot the machine, specifically telling me not to do it manually. I said OK and it started but then stopped. It is just hanging with all my icons gone, my machine connected to the internet and my virus protection turned off. What do I do?

 

Thanks. I was afraid to leave it like that. Sometimes it just hangs on closing down --it's an XP SP3 machine. I held the power button down till it turned off, then turned it back on. Combofix resumed as if it had done it itself. Everything appears to be okay. Pardon my panic, lol.

 

Is rootkit gone?

Hi,
I ran the READ ME FIRST procedures, MAMB and SAS found nothing, but combofix found a "difficult" rootkit. It tried to remove it, said it needed to reboot my computer but then just hung. (It is an XP SP3 machine and sometimes hangs on shut down. So I held the power button down till it shut off, then started it again. Combofix resumed as if it had done the shut-down, it seemed. I got the log and then ran it again to be sure. It looks like it deleted some of the same stuff the second time. Root Repeal seemed to see a lot. MG Tools ran also. Logs are attached. Can anyone tell me if I still have a problem? The root repeal log looks big,
Thank you for your help. When combofix first hung up, I started a thread for help as I was afraid to do anything. Is there a way to mark that "solved" so that I don't waste anyone's valuable time? Thanks so much-- my paycheck depends on this machine!

 

Re: Is rootkit gone?

Well...I was following the "READ ME FIRST" instructions. They never found the rootkit to start with. Combofix, run after them, did. It looked to me like the second run of combofix deleted someof the same files as the first run, which means they returned, so I thought there might still be something there. Also the Root Repeal log seemed long.

 

I just realized my mistake--When combofix stalled, I panicked and started this thread because it had specifically said not to manually restart my computer. When no one answered, I gave in and restarted it anyway, and it picked up where it left off. I tried to close this thread by leaving the message that it had resumed and seemed to be okay. I asked how to mark a thread solved, but no one answered, so I couldn't close it. I posted my four logs on another thread--that's why I thought you had them. I'm so sorry! I ran combofix a second time after the stall, so I included that one too. You were being very kind and patient considering how I've botched this request for help!!

 

Ok, did the first part -- log is attached.
Now to embarass myself -- when I go to download MGtools, it offers to save it in the download folder. I that where it goes? If not, exactly where should I put it? (And how do I get it off my desktop?) D'oh!

 

Sorry for the delay-- I had to lend the laptop to my son when his died mid-term paper and am working on a clunky old desktop. I will try to follow your instructions as soon as I get it back. It isn't in a folder now-- I downloaded it directly to the desktop like combofix. Is there a way to fix that?

 

Just got the laptop back -- disaster! My son said he had to borrow someone else's computer--I don't think he did it. I turned it on and got some message about "XP Security 2012" I think- it happened very fast. Then the icons on my desktop disappeared and the items on the taskbar. There is no "run" window. WHen I tried to run ESET 32 - one of the few remaining items on the taskbar, it froze the scan and shut down the computer. I rebooted in safe mode--no icons. Tried to attach a thumb drive--no way to access it. I'm competely locked out.:cry This is the worst I've ever seen it. WHat the heck do I do now besides get more tissues?

 

I got the run window back by changing to the "classic" startup, but I can't get into the control panel or access the thumb drive. When i try to run a program (one of the few I can still see under "programs" it just asks me what program I want to open the file with. No good. Same for the run window. Last known good configuration does nothing. This is terrible!

 

Well, I can sort of see the desktop again, but all executable files are ghostly. No executable will work. I went in through the document folder to the download file where I still had the setup files for Malwarebytes. I installed it again in that folder and quickly renamed the exe file "Bam.com". The shortcuts that it added to the desktop and taskbar stopped working and went ghostly, but I was able to launch Malwarebytes and SuperAntiSpyware by this method. Malwarebytes can't find anything else wrong (it may or may not have been tampered with) SAS found two rootkits a couple of trojans and a pile of cookies. Now I can see "my Computer" and my flash drive. So I guess that's progress. Combofix is on my desktop (ghostly) can I rename it something.com and still have it work? Where do I go from here? I also ran TDSSKiller for that particular rootkit but no luck. I am leary of connecting to the internet as I have no active virus protection, but I Combofix, root repeal and MG Tools on my desktop from my last encounter last week--I just can't use them as long as they are named .exe files.

 

Well, I renamed Combofix as directed and tried to run it. It warned me that my Eset scanner was active. Suprised, I went in through programs and was allowed to run Eset NOD32. It found one thing Qoobox trojan, which it quarantined. I see the same thing quarantined a couple of weeks ago. However, returning to the desktop, I found that my renamed combofix had disappeared, as had my renamed MalwareBytes. I renamed and ran MGTools, which then suffered the same fate. I still had a copy of renamed malwarebytes in my download folder, which can't find anything (and seems to complete awfully fast...) A task bar icon for SuperAntiSpyware reappeared --this finds something called "system.brokenfileassociation" and quarantines and removes it--but it just comes immediately back. Can I save a copy of Combofix to my flash drive somehow? It looks like my installer is ghostly too though... I just found the renamed combofix file in the windows/prefetch folder, now it's named hb65f.com-08157917.pf

 

Then I messed it up worse. Combofix stopped loading and had a dire warning that there was an active scanner running and it was dangerous to run that way. So I discovered that I could now get eset NOD32 to run, so I ran the scanner from there, thinking I'd do that first while I had access, then shut it down. When I went back to combofix, it was gone. Look, I know I'm a head smacking nube when it comes to this stuff, but I really do appreciate your help and I really am trying. I was just afraid to run combofix under those circumstances. It also said something about running a "limited" scan because it was more than a month old (barely. I tried unsuccessfully to uninstall it), so I thought THe NOD32 might be able to catch this. D'oh!

 

Okay, finally got the file associations fixed so I could run .exe programs.
Downloaded Combofix and others--logs attached. MG Tools gave error:
c:\windows\system32\cmd.exe
c:\PROGRA~\Symantec\S32EVNT1.dll
An instalable virtual device driver failed Dll initialization.

I told it to ignore that and proceed.

After everything else I ran Eset NOD32 and it found but was unable to clean this:
Winlogon.exe(1360) - a variant of Win32/Dorkbot.B worm

There is a new folder in my C: folder caller RECYCLER. The same folder appears on my flash drive, which I assume is how this computer was infected. (I think this means the other computer in the house that is slowing down is infected also, but one thing at a time.) This was not visible to Eset before all these other
scans ran.

 

Didn't work. I followed your instructions and it looked okay for a while, then the RECYCLER folder reappeared. I ran combofix again because I hadn't run MGTools yet, and I thought I might catch it before it reappeared. No luck. Logs are attached.

 

Really? Sorry, I was going by a previous post from this past September, where someone described it first as the RECYCLER virus, then said that Microsoft Security Essentials had identified it as win32/Dorkbot, (http://forums.majorgeeks.com/showthread.php?t=244260&page=2)
Since I was having similar problems and the RECYCLER folder appeared on both my DataTraveler flash drive and my infected laptop, and since my laptop's Eset program identified a threat that it couldn't clean as Win32/dorkbot.B, I assumed they were connected.
The RECYCLER folder does NOT appear the desk top computer I am typing this on, (I have it set to show hidden files), which is also a Core2Duo with virtually the same software, or my daughter's laptop, which is almost identical to my infected one, so I figured the RECYCLER folder was from the virus.
The Eset Threat Encyclopedia (http://www.eset.eu/encyclopaedia/win32-dorkbot-b-worm-ngrbot-gqj-w32-kolab-gen-p) says that the worm creates a RECYCLER folder to hide in--it said a lot more than that but I won't pretend I understood it!) So I thought this RECYCLER folder was evidence of continued infection. Also, a couple of my desktop icons (root repeal and a folder of tools) are...dark-they don't look normal. I guess that could be something else. Sorry--I'm not very good at this stuff!
To answer Kestral13! -- I have no idea what Dc1.zip is--it isn't showing on the computer or in a search for that file. Where do the logs say it is?

 

I'm sorry, I did look in the C: folder but dc1.zip was not visible. I searched for it too but nothing came up. Apparently all my "superhidden" files became visible though, so the RECYCLER folder had this in it: S-1-5-21-1896466947-3091375771-3867100828, which disappeared when I hid the "superhidden" system files, so I guess not a virus?
I followed all your finishing procedures and other than one small detail, all seems well. (There is a folder on my desktop which has had it's status changed from visible to hidden, as have all the files it contains. It has some set-up files and shortcuts etc.)
Thank you SO much for your help and for putting up with my ineptitude! You guys are heroes! I looked to see if there was a place to help support the site, but I couldn't find one? Is there a way to mark this thread as solved (ANOTHER victory!) or do you do that? Thanks again!