Solved

Is one folder causing antimalware scanners to hang / fail?

Posted on 2014-02-13
17
789 Views
Last Modified: 2014-03-10
On a Windows 7 PC infected with a fake security virus, I was able to get into safe mode. But (1) rkill (which I had renamed) kept freezing / stopping at the same point (checking the firewall), (2) combofix's windows would just disappear without running the scan, and (3) TFC by Oldtimer would get to a certain point and seem to get stuck forever (at "windows temp files").  Based on what I read online, I didn't bother letting TFC run more than 30 mins.

I ran a bunch of other stuff (Kaspersky Rescue Disk, HitmanPro, Adwcleaner, Roguekiller, MBAR, etc), and then I returned to Normal Mode, there was no further virus activity.  HOWEVER, those three programs (rkill, combofix & TFC) froze / failed to finish.

I scheduled a scandisk ("chkdsk /r") & rebooted, but it seemed to complete way too fast (it took 1 second to say, "volume clean"), so I ran it ScanDisk from a boot disk (Hiren's miniXP). Then I was able to run Scandisk normally (it ran all 5 stages).  But the 3 above hanging issues persisted.

And as a weird side-note, I noticed that if I ran combofix, and let it's windows disappear, and then I ran HitmanPro, the combofix Autoscan window would appear and run alongside Hitmanpro. Combofix completed and fixed some stuff. But the 3 problems persisted.  


Then I noticed that HitmanPro was spending a lot of time scanning this folder:
 "c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files...."

This folder had about 9gb in it. When I tried to delete this folder, it was still executing 30 minutes later. So I let the "deleting folder" window run over night. In the mornng, the folder was gone, and ALL THREE of the above problems were gone (rkill, TFC & combofix all ran normally now)

So I'm guessing there were two problems - (1) a virus, and (2) a folder with a very long path inside it (or something funky).
____
My questions are:
(1) Is it likely that that folder or something inside it was causing the 3 problems?
(2) How would that work?
(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

thx!
0
Comment
Question by:dgrrr
  • 6
  • 3
  • 3
  • +2
17 Comments
 
LVL 47

Accepted Solution

by:
dbrunton earned 300 total points
Comment Utility
>>  (1) Is it likely that that folder or something inside it was causing the 3 problems?

Quite possible.

(2) How would that work?

Suggestions only.  

Could be the applications concerned running out of memory.  If they required pieces of memory to handle each file in the folder and weren't releasing memory back to the OS when finished with the file then the OS could eventually run out of free memory.

Or a corrupt file name or corrupt file they couldn't handle but the delete process could handle OK.

Remember these are suggestion.  Other experts will probably chip in with others.

(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

You've recognized some symptoms and can use that knowledge in the future.  Very nice deducing there.  Cleaning out temp folders is a good way in helping curing virus problems and helping the scanning process.  %APPDATA% is a common place for virii to hide.
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
I would think the files you deleted were temperary internet files, which would have housed some of the virus/malware that was infecting your pc. Certain types of malware, especially the bad ones, can prevent combofix and other anti malware products from scanning or running at all. You were lucky to be able to delete those particular files, as they could have continued to wreak havoc on your computer. Here is microsoft article on cleaning up the files and adjusting the size of storage.

http://support.microsoft.com/kb/260897
0
 

Author Comment

by:dgrrr
Comment Utility
I often clean out temp folders, but I've never gone to:
   ...system32\config\systemprofile
because when I saw it, I assumed it was used by some 3rd party registry backup program (a la erunt).

Is that normally a common place for temp files to go? What program or event puts files there?  Google says its a backup of the local user...
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
blind link alert ??    :-))

in such heavily infected systems, i do 2 things :
1-i scan from an updated boot cd, like kaspersky, or AV or microsoft offline defender:
http://windows.microsoft.com/nl-be/windows/what-is-windows-defender-offline

2-if this does not help much, i go for a fresh install, after backup; it saves time in the end
0
 

Author Comment

by:dgrrr
Comment Utility
"It is the profile directory for the system user account, which is the user running the root IIS process host instance"

Refs to ISS notwithstanding, I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

And (forgive my ignorance) I'm assuming that a "profile directory" is the same as a "user account directory" (aka User Account Profile Directory?).

But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
No need to plead ignorance.  I misread your question and assumed the %APPDATA% directory was in the normal place.  In this case it isn't.

>>  I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

Googling indicates this.  Also see later.

>>  "user account directory" (aka User Account Profile Directory?).

Looks like it.  I have problems with Microsoft terminology and documents.  The eyes go glassy and after I have read it I can't remember it.  Like there was no information there.  I can find information on the System User Account for Windows XP but little about it for Windows Vista/7.  For XP it is very similar to Admin account but slightly more powerful in that it runs essential services.

>>  But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?

Using Google I can find examples of users having problems after updates with their desktops going missing and ending up in "system32\config\systemprofile\"  I'll assume they were using their computer as Administrator or possibly System (but not sure how they did the last) and the data got copied or moved across.  So it is possible this occurred.  But 9 Gb of data?  There must have been a lot of surfing or something involved as System (or Administrator).
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 91

Expert Comment

by:nobus
Comment Utility
did you test if a scan from a bootable cd also hangs ?
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
Here is some more interesting information from microsoft

http://answers.microsoft.com/en-us/ie/forum/ie10-windows_7/explorer-10-downloading-massive-number-of-files/1b51fbf8-9cc2-4ed2-a150-947d7e02bb5f

Lots of reseting IE settings and cleaning out folders.
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 300 total points
Comment Utility
Interesting.

The article indicates the Alureon rootkit can cause this.  If the original fake security virus was Security Essentials 2010, see https://en.wikipedia.org/wiki/Alureon, that would explain what is happening on this machine.

Have a good read of that Wikipedia article.  You may need to check the MBR on that machine or redo it as a final check.

But again Alureon seems to be the culprit here and the explanation.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
the article also says ". It may be useful to perform an offline scan " as i suggested
but i received no comment on it....
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Don't delete.  Refund the Asker's poinks and keep.  There is a lot of valuable information in this thread.
0
 

Author Comment

by:dgrrr
Comment Utility
Sorry all, I'm terrible about keeping up with my EE responses.

I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.  

I also had run TDSSKILLER" in special mode (with items checked as suggested on bleepingcomputer, as well as normal mode).

The other item suggested by Wikipedia for Alureon is Windows Defender Offline. My instinct is not to boether with micrsoft products.. Have any of you tried this tool?

AND OH YEAH - the infection came back this week!  (Weeks after all of the above)

I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>>  I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)

Not at the MBR anyway.  Some drivers I think but need more confirmation from others.

>>  I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.

Yeah, so there's still stuff there.  Trouble is nowadays you have to hit the virii with two or three applications to make sure you get everything.

>>  AND OH YEAH - the infection came back this week!

Time to wipe and reinstall.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now