Cannot run Combofix

Hi,

I wonder if someone could check out the attached HiJackThis log.

I've been trying to run Combofix and either get the message after installing the newer version that "Windows cannot find Combofix" or I need to run as Admin, which I do and still get the same message.

I want to run Combofix to investigate a few problems, including Outlook trying to send messages from an empty Outbox.

I've run CCleaner amd user Microsoft Security Essentials as the AV.

Thanks in advance.

Mike
mikeabc27Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikeabc27Author Commented:
Not sure if attachment went through

hijackthis.log
davidlevans13Commented:
What OS are you running?
I have never used Combofix, and it sounds like a program that can cause a lot of troubles without proper knowledge. I will assume that you have that knowledge...   but I would try Malwarebytes first....
optomaCommented:
Run Exehelper first>AV may flag this as bad>its not!
http://raktor.net/exeHelper/exeHelper.com

Run Hitmanpro
http://www.surfright.nl/en/hitmanpro

Delete copy of Combofix and redownload it from below
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


>Remember to right and run as admin for tools
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mikeabc27Author Commented:
David - Running Vista Business.
Optoma - I followed your suggestions, but when I starting running the new Combofix it came up with a msg Access is Denied and I needed admin right although I was logged on as local administrator. When I've hit this problem before I simply reinstalled and it worked.
optomaCommented:
Did other scanners find anything?

Even though you're logged on as local admin, did you right click and select run as admin?
mikeabc27Author Commented:
Run As Administrator produces the same Access Denied. You need admin,,,,,,
optomaCommented:
Did other scanners run ok + did they find anything?
davidlevans13Commented:
Somewhere I got the idea that Combofix was for XP and older and not Vista or 7.... I'm sure I have been misinformed, but I was surprised you were using it in Vista.

Any truth to my notions?
mikeabc27Author Commented:
All other scanners ran, but nothing found.
Combofix has worked fine in Vista on this PC.
mikeabc27Author Commented:
Now I'm getting some weird stuff. When trying to open IE it says it's an illegal operation and the registy key has been marked for deletion. A few other apps/files have unfamilar icons.
 
davidlevans13Commented:
This sounds like Virtumonde or the other newish virus/malware...  trying to remember the name.
http://www.youtube.com/watch?v=boV2MrBt9IA
A video about Virtumonde removal.

Do you have a Boot CD antivrus??
I used one from AVG a bit ago to get a start on cleaning out a HDD...
http://www.avg.com/ww-en/avg-rescue-cd

Not sure if this helps. I have a sieve for a brain..  I was just reading about something that does this the last couple of days.
argh.
davidlevans13Commented:
Hey.. I found a past thing about Virut.... that was the name I couldn't remember  ( does sort of sound a bit like virus... virtumande?... whatever)

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_22877626.html?sfQueryTermInfo=1+virut

scary stuff.
optomaCommented:
Just reboot machine>that happens after Combofix is launched on Vista :)

After reboot delete copy and download another copy to desktop
>>>>Rename Combofix to fc.exe prior to saving it to desktop and try again
mikeabc27Author Commented:
David, thanks good idea, but I think my AV would have picked it up?
Optoma, rebooted, download as fc.exe, but still "Access Denied"
davidlevans13Commented:
A quandary is what we have here.
hmmmm....

I am gonna watch and learn, like I do for so many postings.
This is a good classroom here.
optomaCommented:
Try Tdsskiller in case of a rootkit and post its logfile after if anything suspect
http://support.kaspersky.com/viruses/solutions?qid=208280684

Can you install above mentioned Malwarebytes without errors?
mikeabc27Author Commented:
Hi the tdsskiller didn't  find anything.
I'll try mbam
optomaCommented:
Ok run these aswell>important to right click+ run as admin

1>Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

2>run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images(preferably as jpg/jpegs)
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx



mikeabc27Author Commented:
Had to run mbam twice as it didn't update on first attempt.
Found a couple of fairly harmless things first time round (log attached), nothing within with the updated scan.
Will try your other suggestions.

mbam-log-4-14-2010--20-22-18-.txt
mikeabc27Author Commented:
optomaCommented:
Thanks for those. Unfortunately nothing obvious but stuff can hide from those :(

Download Inherit to desktop as where Combofix is also saved.
Drag Combofix over/on top of Inherit and release.
Should get an "OK!" message

Try running Combofix again as Admin

http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
mikeabc27Author Commented:
Thanks optoma - when I follow that, fc.exe (combofix) upgrades to newer version, restarts comfofix and then cannot find it.
optomaCommented:
Hmm, something not right! :(

Boot into safe mode with networking
Download a fresh copy(again!) and leave it named as its normal name.
Drag and drop it again in that mode and see if it runs.

If that dosn't work I'm outta options at the moment, but will try and get somebody else to have a look who would have better dealings with resolving this :)
mikeabc27Author Commented:
Sorry optoma - I left to sort a server out early this morning.

I've tried safe mode and ran a fresh combofix (ran as admin), but get the following msg:

The system cannot find message text for message number 0x8 in the message fle for system.

It then runs through the 50 stages as it has been doing before, but at stage 38 I get an Access Denied. Admin permissions needs, and no files or folders are deleted.
optomaCommented:
Even though it dosn't complete ,is there any C:\Qoobox folder?
Ill try and get somebody else to have a look at this thread..
optomaCommented:
This may be worth a read with outbox issue, if applicable for your case:
http://forums.techguy.org/web-email/528771-outlook2003-trying-send-msgs-nothing.html

mikeabc27Author Commented:
There is stuff with yesterdays/todays date in c:\qoobox and I'm attaching last combofix log today.
Like the others, nothing has been deleted and Registry Key have been locked due to the Access Denied problem.
No luck with the Outlook link - thanks anyway

ComboFix5.txt
rpggamergirlCommented:
Is there a text file created? --> C:\Combofix.txt
Did you disable security shields while running ComboFix?
In safe mode run it again, make sure combofix.exe is on the desktop.
In the Run box, copy/paste below command...

"%userprofile%\desktop\combofix.exe" /killall

and click OK.and see if it runs ok.

If it's not legit programs or permissions causing this, it could be some nasties and we should  try some other diagnostic tools in case it's some nasties that CF doesn't handle yet.
mikeabc27Author Commented:

Hi rpggamergirl,

I checked MS Security Essentials was off and ran "%userprofile%\desktop\combofix.exe" /killall from the Vista run box.

 It starts and I get the warning about the two websites, then I get:

The system cannot find message text for message number 0x8 in the message fle for system.

Then after a few moments it offers to upgrade to the newer version that's available, despite having downloaded combofix from bleepingcomputers.com this morning, I accept and everntually get a msg:

Windows  cannot find Combofix.

I repeat without upgrading and get the same initial errors. When declining the ugrade I get the Access Denied - Admin error and it continues and I will get the same Access Denied error at Stage  38.

I'm on stage 3 and will post this now as I guess it's quite late where you are.

I will post the combofix report as soon as it is finished.
mikeabc27Author Commented:
The full report didn't generate at the end. The combofis.txt file just says:
ComboFix 10-04-14.03 - Administrator 15/04/2010  15:39:35.8.2 - x86 NETWORK
Microsoft® Windows Vista™ Business   6.0.6001.1.1252.44.1033.18.2038.1423 [GMT 1:00]
Running from: C:\Users\Administrator\Desktop\combofix.exe
Command switches used :: killall
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
When I opened Defender it was disabled.
mikeabc27Author Commented:
On a totally unrelated issue, I came across this site that automatically analyses HiJack This logs:
http://www.hijackthis.de/index.php?langselect=english#anl 
It didn't resolve the  other issue but stopped the PC trying to send 3 items from an empty outbox.
Still trying to fathom the Access Denied issue with Combofix, which I have successfully used to clean one PC this afternoon.
optomaCommented:
Its a good site but still be careful using it as it may give a false result due to user ratings.

See your Hjt log now :(
mikeabc27Author Commented:
Good point, I did wonder about that
mikeabc27Author Commented:
Sorry this didn't attach
hijackthis3.txt
optomaCommented:
Comparing before+ after Hjt:
C:\Program Files\pdfforge Toolbar\SearchSettings.exe >Its removal probably resolved issue with outbox.

How is machine behaving?

No harm to wait for Rpggamergirl to advise you on other scanners :)
rpggamergirlCommented:
I never like any toolbars, :)
Have you now removed Pdfforge Toolbar?
Fixing entries in Hijackthis doesn't delete any directories nor remove the program, it only disable the program from loading at startup.
Even if you use PDFCreator you don't have to have their toolbar.

Hijackthis.de:
I've tried that site few years back, and it flagged my ISP as malicious.
Automated analyzers are good as a guide specially to determine if entries are legit....only as good as their database so can't be totally relied on.

Is that all the CF log... still not running properly I see.


1.  Try running Gmer and if it doesn't find anything we can then run other diagnostic tools.
Download GMER Rootkit Scanner
http://www.gmer.net/gmer.zip
Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED:
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All
(don't miss this one)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the Save.. button, and in the File name area, type in "ark.txt"  
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.



2.  Also run OTL.
Download to your Desktop
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste below bold text in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90


Click the Quick Scan button. Do not change any settings. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.



mikeabc27Author Commented:
Optoma - PC running better but still idles at 7% to 14%, rather than 0% to 1%. Removed a busy PrimoPDF file but no change.
Rpggamergirl -  Have now removed ALL toolbars, PDForge was last to go. Have been running gmer for a while now and still at the initial scan stage.
 
 
 
rpggamergirlCommented:
Sometimes Gmer scan hangs....if so, try another scan but uncheck the "Files" box that usually fix it.
mikeabc27Author Commented:
It took a few attempts even with file unticked, but here are the logs.

ark.log
ark.txt
Extras.Txt
OTL.Txt
mikeabc27Author Commented:
I've not heard anything in five days, so assume you've been busy or couldn't find anything, however, problem has worsened. PC shutting down, refusing to boot up and now Black Screen White Pointer when I do get it to boot.
Even when I boot from a Vista Business DVD and choose Repair it goes to the black screen.
mikeabc27Author Commented:
OK, choosing system restore instead of repair on booting from the DVD seems to have got me back on track if a bit wobbly. Previous system restores have failed and I'm not sure which point it selected, but even the earliest available was after I originally started this thread.
Anyway, CPU usage is still behaving like an eccentric aunt.
optomaCommented:
Hi Mike,
That black screen issue can only be resolved with a system restore in "good old, reliable vista" :(

Note>I have never got the so called "repair" feature to solve anything in vista even when it detects problems and says it resolved them!

I can't advise you on the logs which you provided but Rpggamergirl can (think she will be back online soon)

For cpu usage:
Check process explorer again and note what is spiking


rpggamergirlCommented:
I am very sorry for much delayed reply, I've been offline too much.
 
Was the "Sections" box in Gmer checked? I don't see any thing in the log that helps.
It could be hardware/software being the culprit here since the scan doesn't seem to be showing anything.

OTL logs I couldn't find any suspect either.... I don't think these files below are patched but just to be sure they aren't, have them scanned online --> virusscan.jotti.org/

C:\Windows\System32\drivers\sptd.sys
C:\Windows\System32\comsvcs.dll
C:\Windows\System32\dxtmsft.dll
C:\Windows\System32\dxtrans.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\SLC.dll
C:\Windows\System32\vbscript.dll
mikeabc27Author Commented:
No problem, I left all the default settings in Gmer except unticking:
IAT/EAT
Drives/Partition other than c:
Show All
 Files
I've scanned 4 files so far, and they were OK. Machine has started shutting down again and will advise on the other files when I get it started again.
mikeabc27Author Commented:
All files now scanned and no problems found.
optomaCommented:
When you say machine is shutting down>what happens. Is it random, any errors, blue screens, lock ups?
mikeabc27Author Commented:
m/c shuts down unexpectedly, not sure if this is app/keystroke related. It then takes many attempts to restart failing as it is about to open Windows.
It as if it was overheating, but if left in CMOS there's no problem. Several searches mention malware with this problem.
optomaCommented:
Any minidumps or anything in event viewer?
mikeabc27Author Commented:
Couldn't find anything obvious is logs, now can't boot up at all.
optomaCommented:
Safe mode working?

Can you remove hard drive and slave it in another machine. Backup the data off it and run an AV scan on it
mikeabc27Author Commented:
No, unfortunately same problem in safe mode.
It's a Toshiba notebook, still under hardware warranty, so don't really want to remove the drive.
I've managed to get into Windows on it and looking at the Event Viewer, Apps ok, but cannot get into System events. I get msg "Event View cannot open the event log or custom view. Verify the Event Log service is running (it is). The data is invalid (13).
mikeabc27Author Commented:
I just read clearing the log sorts this error and it now works.
mikeabc27Author Commented:
I just get the 6008 unexpected shutdown error in event viewer.
optomaCommented:
If its under warrenty leave it as it is.

You can use UBCD to boot to and test the ram + manufacturers full hard drive diagnostic test(bios setup will say what make of hard drive)
http://www.ultimatebootcd.com/download.html

Although i think it is software related which a clean install(not the factory restore) would be an ideal test(data backed up firstly!)
mikeabc27Author Commented:
Optoma,
I'm currently trying to find my Ghost 14 installation/recovery CD to reinstall last good image.
That was the last resort, as I would have really liked to resolved this by tackling the problem malware.
optomaCommented:
I don't think malware is the problem. The logfiles look ok and checked over by Rpg with an "all clear"!


mikeabc27Author Commented:
OK, I need to do a good sort out, and it will take ages to find the Ghost CD.
I already have a DVD of UBCD 4.1.1. and will check it out first.
mikeabc27Author Commented:
I've run the Quick Test on the Fujitsu drive and that tested ok - now running the 68 minute comprehensive test.
mikeabc27Author Commented:
It's finished the test and I get the ms:
The drive passed the COMPREHENSIVE TEST. Both the QUICK TEST and the COMPREHENSIVE TEST have finished successfully. No error was detected on the HDD.
 
optomaCommented:
Looking like software issue..... Vista blues :(  !!!
rpggamergirlCommented:
With regards to ComboFix issue, some legit security apps may also target CF files, I've seen Windows Defender that targeted one of CF files.... but with other accompanying problems in this case it does sound like could still be malware.
mikeabc27Author Commented:
I'm glad you think that, but it is a tricly one.
This particular computer is used to analyse clients' problems, and, as such, is the most exposed PC I have. Probably, not the best thinking to have a Vista PC do this!!
I've done the:
MSCONFIG, Services, "Hide All Microsoft Services", Disable All, Startup tab, Disable All thing and that has improved things greatly. PC hasn't shutdown in seven hours, it did a couple of times after making the changes, but at least it starts first go every time.
I really would prefer to avoid the Ghost restore - if I can.
optomaCommented:
What about running a live cd like Kaspersky if it still looks like malware??
Let it update first + can take hours to scan

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

--When finished scanning, hit reports and save its scan logfile to hard drive.>remember location to where logfile is being saved to!
Post logfile here after
mikeabc27Author Commented:
Optoma,
I created the CD and booted from it, updated, it ran the scan and found not-a-virus.fraud and ran scanning for 1.5 hours (still at 1% after this time), then it shut down,
optomaCommented:
Can you remember its location or what file?

If it shut down during that scan its possible that its overheating> is the fan running smoothly + machine on a flat surface like a workbench/desk?
mikeabc27Author Commented:
Sorry, only made a mental note of the infection while waiting for the report.
Now been running for 1.75 hours on second go and up to 39% (jumps from 1% to 36^ in one leap).
Very difficult to check temp as no PC Heath in the CMOS and no software loaded to check. Obviously, with sudden shutdowns you immediately think overheating. What negates this, it will boot up and run for another 1.75+hrs straight after a shutdown?
optomaCommented:
Strange. You would think overheating. But if its running again.... Will take a few more hours anyway.
mikeabc27Author Commented:
Yes, we're up to 4hrs 40m and 54%. It found a trojan at 50% in a PST file I copied over suspiciously recently on the desktop.
It was Exploit.HTNL.Mht
mikeabc27Author Commented:
It finally ran for 8 and a half hours and 66% before shutting down.
optomaCommented:
Did you test the ram with UBCD?
mikeabc27Author Commented:
Yes, although the test goes into a perpetual loop test, it tested ok after 10 minutes,
optomaCommented:
how much ram in machine? 10 mins isn't very long. I usually let it pass at least three times :)
mikeabc27Author Commented:
2GB
optomaCommented:
Should take longer than 10 mins to test 2gig of ram
mikeabc27Author Commented:
Thanks Optoma - I'm currently working onsite, but I'll give it a longer test when I get back. How long does the memory test normally take, and anything else from the UBCD worth trying?
optomaCommented:
Its depending but with 2gigs ram, it would take a few hours to complete a few times.

I generally only use those two and sometimes the cpu stress test
mikeabc27Author Commented:
Yesterday morning I started another Kaspersky Rescue and this has been running for 25 hours and up to 95% (it was waiting for prompt overnight). It has found 4 Exploit.HTML trojans, but this time I followed the recommended option and did not delete them. I will delete when/if it completes.
I will run the UBCD when this finishes.
mikeabc27Author Commented:
Optoma,
The Kaspersky scan just finished after 26 hours (log attached) and it booted into Windows at first attempt. CPU running at 100% with sidebar.exe the main protaganist.
I didn't move the PC while it was scanning, unlike the scans when it shut down, and went with the Kaspersky recommendations which was to leave 4 of the Exploit detections. However, when it completed, it would not allow me to disinfect them. Chose Disinfect All, nothing happened after 10 minutes.
Where do you think I should go from here?
Thanks,
Mike

kasp---Copy.txt
rpggamergirlCommented:
It's possible that it's false positive, KAS is a very thorough scanner and it's very suspicious of everything.

You could also try and manually deleting those emails yourself....looks like they're last years Hijackthis logs.
So long as the system is fully patched, even if there really is a malicious code embedded in those logs it won't be able to download and install malicious programs.
optomaCommented:
sidebar.exe >can you turn off vista sidebar and disable it from starting up at machine boot. (right click on sidebar to enter properties to do so)

After re booting is cpu usage ok?

mikeabc27Author Commented:
Sorry for delay in reply, it keeps shutting down during UBCD memory/cpu tests. Will continue this evening,
optomaCommented:
If it keeps shutting down in those tests then its not a good sign :(
Hardware related issue>you mentioned that its under warrenty?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikeabc27Author Commented:
No, unfortunately, when I checked my bills and the Toshiba warranty site, it expired in Feb!!!
optomaCommented:
since its out of warrenty, can you check that the cpu fan is running ok, thats if it is easy to access :)

mikeabc27Author Commented:
Thanks for persevering with me Optoma. The CPU appears quite accessible. I've blown through the vents by it to clear any dust. The vent right above it (on the base on the laptop) feels cold to the touch, but it's only been on a few minutes and currently on it's side to let air flow in more freely. The side vent expelling the air, is as warm as you would expect.
I'll see how long it stays on for and how hot the vents are when it shuts down.
 
optomaCommented:
np :)
mikeabc27Author Commented:
No, it shut down after 15 minutes when the cpu vent was very cool!
optomaCommented:
It was booted into Vista when shut down?

Can you try replacing the ram sticks or try them individually and test.

With the vents staying cool shows that cpu cooling is ok but I wouldn't be to knowledgeable on that :(
mikeabc27Author Commented:
I didn't get a chance to test the memory until this afternoon, but now they've been removed and reseated it's been running ok for an hour (unthinkable of yesterday) - fingers crossed
mikeabc27Author Commented:
Many thanks to both of you.
Unfortunatlely it shutdown after 25 hours and now only runs for a few minutes.
Obviously a hardware issue and will attempt sort when time permits.
optomaCommented:
No prob. Gonna be a tricky one to determine :(
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.