Jsmply
asked on
Help with an infection, seems to be cleaning up but CF has odd behavior
Been cleaning up an infected laptop from one of our users. MBAM Pro was having some issues with the removal, even after MBAM kept removing stuff it came right back after a restart. Rkill never realized any malware was running. The symptoms were browser proxy settings all changed, constant pop-ups asking to open IMAGE .PNG files, and a constant message from run32dll.exe wanting to launch an application.
CF seemed to fix it. Ran it once and it removed several things MBAM didn't, on the second pass it didn't find anything. Both logs are attached. The odd behavior though is that when running CF, it seems to run fine but after it completes all the stages the machine logs out. Once logging back in the CF screen is gone and no network connection is available (presumably because CF hasn't restored it yet). It takes a manual restart to trigger the CF screen that says preparing log report and for CF to reinstate the network connections. This happened on both passes. Presumably something is still going on.
Both CF logs are attached. Any help appreciated. 1st-runComboFix.txt
ComboFix.txt
CF seemed to fix it. Ran it once and it removed several things MBAM didn't, on the second pass it didn't find anything. Both logs are attached. The odd behavior though is that when running CF, it seems to run fine but after it completes all the stages the machine logs out. Once logging back in the CF screen is gone and no network connection is available (presumably because CF hasn't restored it yet). It takes a manual restart to trigger the CF screen that says preparing log report and for CF to reinstate the network connections. This happened on both passes. Presumably something is still going on.
Both CF logs are attached. Any help appreciated. 1st-runComboFix.txt
ComboFix.txt
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you. In the end, we keep getting bluescreens and other random errors now. The user does have an image available for the machine so it seems in this case restoring via image is the easiest route seeing as the machine doesn't have much software to reinstall, etc.
Thanks for your help everyone. Just for educational purposes, does CF usually have an issue with 64 bit systems?
Thanks for your help everyone. Just for educational purposes, does CF usually have an issue with 64 bit systems?
It comes handy when the system has an image available to restore, it's a time-saver than troubleshooting the issues that the PC is left with.
"...does CF usually have an issue with 64 bit systems?"
Not usually, but sometimes CF doesn't run smoothly , the one I run yesterday was a fresh download and it was on a clean system(just wanted to test it) I ended up having to restore CF's ERDNT backup to put things back to normal.
"...does CF usually have an issue with 64 bit systems?"
Not usually, but sometimes CF doesn't run smoothly , the one I run yesterday was a fresh download and it was on a clean system(just wanted to test it) I ended up having to restore CF's ERDNT backup to put things back to normal.
ASKER
Thanks. How would you know if it doesn't run smoothly? Is the erratic run behavior that we described the indicator, or is it something in the log?
ASKER
Thx
Doesn't run smoothly e.g. the one I had popped up an error instead of the log at the end of the scan and had to force restart the PC.
Thanks!
Thanks!
ASKER
Your very welcome. Also an FYI, it's hard to tell here if there were more issues than just CF or the malware because after imaging the machine it turned out it also has a failing hard drive (found in hardware diagnostics). So, this wouldn't be a great example for anyone else reading.
Also thanks for posting that additional information.
ASKER