Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is one folder causing antimalware scanners to hang / fail?

Posted on 2014-02-13
17
Medium Priority
?
864 Views
Last Modified: 2014-03-10
On a Windows 7 PC infected with a fake security virus, I was able to get into safe mode. But (1) rkill (which I had renamed) kept freezing / stopping at the same point (checking the firewall), (2) combofix's windows would just disappear without running the scan, and (3) TFC by Oldtimer would get to a certain point and seem to get stuck forever (at "windows temp files").  Based on what I read online, I didn't bother letting TFC run more than 30 mins.

I ran a bunch of other stuff (Kaspersky Rescue Disk, HitmanPro, Adwcleaner, Roguekiller, MBAR, etc), and then I returned to Normal Mode, there was no further virus activity.  HOWEVER, those three programs (rkill, combofix & TFC) froze / failed to finish.

I scheduled a scandisk ("chkdsk /r") & rebooted, but it seemed to complete way too fast (it took 1 second to say, "volume clean"), so I ran it ScanDisk from a boot disk (Hiren's miniXP). Then I was able to run Scandisk normally (it ran all 5 stages).  But the 3 above hanging issues persisted.

And as a weird side-note, I noticed that if I ran combofix, and let it's windows disappear, and then I ran HitmanPro, the combofix Autoscan window would appear and run alongside Hitmanpro. Combofix completed and fixed some stuff. But the 3 problems persisted.  


Then I noticed that HitmanPro was spending a lot of time scanning this folder:
 "c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files...."

This folder had about 9gb in it. When I tried to delete this folder, it was still executing 30 minutes later. So I let the "deleting folder" window run over night. In the mornng, the folder was gone, and ALL THREE of the above problems were gone (rkill, TFC & combofix all ran normally now)

So I'm guessing there were two problems - (1) a virus, and (2) a folder with a very long path inside it (or something funky).
____
My questions are:
(1) Is it likely that that folder or something inside it was causing the 3 problems?
(2) How would that work?
(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

thx!
0
Comment
Question by:dgrrr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +2
17 Comments
 
LVL 49

Accepted Solution

by:
dbrunton earned 1200 total points
ID: 39857148
>>  (1) Is it likely that that folder or something inside it was causing the 3 problems?

Quite possible.

(2) How would that work?

Suggestions only.  

Could be the applications concerned running out of memory.  If they required pieces of memory to handle each file in the folder and weren't releasing memory back to the OS when finished with the file then the OS could eventually run out of free memory.

Or a corrupt file name or corrupt file they couldn't handle but the delete process could handle OK.

Remember these are suggestion.  Other experts will probably chip in with others.

(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

You've recognized some symptoms and can use that knowledge in the future.  Very nice deducing there.  Cleaning out temp folders is a good way in helping curing virus problems and helping the scanning process.  %APPDATA% is a common place for virii to hide.
0
 
LVL 9

Expert Comment

by:discgman
ID: 39857247
I would think the files you deleted were temperary internet files, which would have housed some of the virus/malware that was infecting your pc. Certain types of malware, especially the bad ones, can prevent combofix and other anti malware products from scanning or running at all. You were lucky to be able to delete those particular files, as they could have continued to wreak havoc on your computer. Here is microsoft article on cleaning up the files and adjusting the size of storage.

http://support.microsoft.com/kb/260897
0
 

Author Comment

by:dgrrr
ID: 39858221
I often clean out temp folders, but I've never gone to:
   ...system32\config\systemprofile
because when I saw it, I assumed it was used by some 3rd party registry backup program (a la erunt).

Is that normally a common place for temp files to go? What program or event puts files there?  Google says its a backup of the local user...
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 49

Expert Comment

by:dbrunton
ID: 39858253
0
 
LVL 93

Expert Comment

by:nobus
ID: 39858371
blind link alert ??    :-))

in such heavily infected systems, i do 2 things :
1-i scan from an updated boot cd, like kaspersky, or AV or microsoft offline defender:
http://windows.microsoft.com/nl-be/windows/what-is-windows-defender-offline

2-if this does not help much, i go for a fresh install, after backup; it saves time in the end
0
 

Author Comment

by:dgrrr
ID: 39858384
"It is the profile directory for the system user account, which is the user running the root IIS process host instance"

Refs to ISS notwithstanding, I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

And (forgive my ignorance) I'm assuming that a "profile directory" is the same as a "user account directory" (aka User Account Profile Directory?).

But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 39858460
No need to plead ignorance.  I misread your question and assumed the %APPDATA% directory was in the normal place.  In this case it isn't.

>>  I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

Googling indicates this.  Also see later.

>>  "user account directory" (aka User Account Profile Directory?).

Looks like it.  I have problems with Microsoft terminology and documents.  The eyes go glassy and after I have read it I can't remember it.  Like there was no information there.  I can find information on the System User Account for Windows XP but little about it for Windows Vista/7.  For XP it is very similar to Admin account but slightly more powerful in that it runs essential services.

>>  But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?

Using Google I can find examples of users having problems after updates with their desktops going missing and ending up in "system32\config\systemprofile\"  I'll assume they were using their computer as Administrator or possibly System (but not sure how they did the last) and the data got copied or moved across.  So it is possible this occurred.  But 9 Gb of data?  There must have been a lot of surfing or something involved as System (or Administrator).
0
 
LVL 93

Expert Comment

by:nobus
ID: 39858685
did you test if a scan from a bootable cd also hangs ?
0
 
LVL 9

Expert Comment

by:discgman
ID: 39859406
Here is some more interesting information from microsoft

http://answers.microsoft.com/en-us/ie/forum/ie10-windows_7/explorer-10-downloading-massive-number-of-files/1b51fbf8-9cc2-4ed2-a150-947d7e02bb5f

Lots of reseting IE settings and cleaning out folders.
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 1200 total points
ID: 39860040
Interesting.

The article indicates the Alureon rootkit can cause this.  If the original fake security virus was Security Essentials 2010, see https://en.wikipedia.org/wiki/Alureon, that would explain what is happening on this machine.

Have a good read of that Wikipedia article.  You may need to check the MBR on that machine or redo it as a final check.

But again Alureon seems to be the culprit here and the explanation.
0
 
LVL 93

Expert Comment

by:nobus
ID: 39861007
the article also says ". It may be useful to perform an offline scan " as i suggested
but i received no comment on it....
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39914942
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 39914943
Don't delete.  Refund the Asker's poinks and keep.  There is a lot of valuable information in this thread.
0
 

Author Comment

by:dgrrr
ID: 39915295
Sorry all, I'm terrible about keeping up with my EE responses.

I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.  

I also had run TDSSKILLER" in special mode (with items checked as suggested on bleepingcomputer, as well as normal mode).

The other item suggested by Wikipedia for Alureon is Windows Defender Offline. My instinct is not to boether with micrsoft products.. Have any of you tried this tool?

AND OH YEAH - the infection came back this week!  (Weeks after all of the above)

I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 39915316
>>  I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)

Not at the MBR anyway.  Some drivers I think but need more confirmation from others.

>>  I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.

Yeah, so there's still stuff there.  Trouble is nowadays you have to hit the virii with two or three applications to make sure you get everything.

>>  AND OH YEAH - the infection came back this week!

Time to wipe and reinstall.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question