Solved

Is one folder causing antimalware scanners to hang / fail?

Posted on 2014-02-13
17
803 Views
Last Modified: 2014-03-10
On a Windows 7 PC infected with a fake security virus, I was able to get into safe mode. But (1) rkill (which I had renamed) kept freezing / stopping at the same point (checking the firewall), (2) combofix's windows would just disappear without running the scan, and (3) TFC by Oldtimer would get to a certain point and seem to get stuck forever (at "windows temp files").  Based on what I read online, I didn't bother letting TFC run more than 30 mins.

I ran a bunch of other stuff (Kaspersky Rescue Disk, HitmanPro, Adwcleaner, Roguekiller, MBAR, etc), and then I returned to Normal Mode, there was no further virus activity.  HOWEVER, those three programs (rkill, combofix & TFC) froze / failed to finish.

I scheduled a scandisk ("chkdsk /r") & rebooted, but it seemed to complete way too fast (it took 1 second to say, "volume clean"), so I ran it ScanDisk from a boot disk (Hiren's miniXP). Then I was able to run Scandisk normally (it ran all 5 stages).  But the 3 above hanging issues persisted.

And as a weird side-note, I noticed that if I ran combofix, and let it's windows disappear, and then I ran HitmanPro, the combofix Autoscan window would appear and run alongside Hitmanpro. Combofix completed and fixed some stuff. But the 3 problems persisted.  


Then I noticed that HitmanPro was spending a lot of time scanning this folder:
 "c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files...."

This folder had about 9gb in it. When I tried to delete this folder, it was still executing 30 minutes later. So I let the "deleting folder" window run over night. In the mornng, the folder was gone, and ALL THREE of the above problems were gone (rkill, TFC & combofix all ran normally now)

So I'm guessing there were two problems - (1) a virus, and (2) a folder with a very long path inside it (or something funky).
____
My questions are:
(1) Is it likely that that folder or something inside it was causing the 3 problems?
(2) How would that work?
(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

thx!
0
Comment
Question by:dgrrr
  • 6
  • 3
  • 3
  • +2
17 Comments
 
LVL 48

Accepted Solution

by:
dbrunton earned 300 total points
ID: 39857148
>>  (1) Is it likely that that folder or something inside it was causing the 3 problems?

Quite possible.

(2) How would that work?

Suggestions only.  

Could be the applications concerned running out of memory.  If they required pieces of memory to handle each file in the folder and weren't releasing memory back to the OS when finished with the file then the OS could eventually run out of free memory.

Or a corrupt file name or corrupt file they couldn't handle but the delete process could handle OK.

Remember these are suggestion.  Other experts will probably chip in with others.

(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

You've recognized some symptoms and can use that knowledge in the future.  Very nice deducing there.  Cleaning out temp folders is a good way in helping curing virus problems and helping the scanning process.  %APPDATA% is a common place for virii to hide.
0
 
LVL 9

Expert Comment

by:discgman
ID: 39857247
I would think the files you deleted were temperary internet files, which would have housed some of the virus/malware that was infecting your pc. Certain types of malware, especially the bad ones, can prevent combofix and other anti malware products from scanning or running at all. You were lucky to be able to delete those particular files, as they could have continued to wreak havoc on your computer. Here is microsoft article on cleaning up the files and adjusting the size of storage.

http://support.microsoft.com/kb/260897
0
 

Author Comment

by:dgrrr
ID: 39858221
I often clean out temp folders, but I've never gone to:
   ...system32\config\systemprofile
because when I saw it, I assumed it was used by some 3rd party registry backup program (a la erunt).

Is that normally a common place for temp files to go? What program or event puts files there?  Google says its a backup of the local user...
0
 
LVL 48

Expert Comment

by:dbrunton
ID: 39858253
0
 
LVL 91

Expert Comment

by:nobus
ID: 39858371
blind link alert ??    :-))

in such heavily infected systems, i do 2 things :
1-i scan from an updated boot cd, like kaspersky, or AV or microsoft offline defender:
http://windows.microsoft.com/nl-be/windows/what-is-windows-defender-offline

2-if this does not help much, i go for a fresh install, after backup; it saves time in the end
0
 

Author Comment

by:dgrrr
ID: 39858384
"It is the profile directory for the system user account, which is the user running the root IIS process host instance"

Refs to ISS notwithstanding, I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

And (forgive my ignorance) I'm assuming that a "profile directory" is the same as a "user account directory" (aka User Account Profile Directory?).

But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?
0
 
LVL 48

Expert Comment

by:dbrunton
ID: 39858460
No need to plead ignorance.  I misread your question and assumed the %APPDATA% directory was in the normal place.  In this case it isn't.

>>  I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

Googling indicates this.  Also see later.

>>  "user account directory" (aka User Account Profile Directory?).

Looks like it.  I have problems with Microsoft terminology and documents.  The eyes go glassy and after I have read it I can't remember it.  Like there was no information there.  I can find information on the System User Account for Windows XP but little about it for Windows Vista/7.  For XP it is very similar to Admin account but slightly more powerful in that it runs essential services.

>>  But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?

Using Google I can find examples of users having problems after updates with their desktops going missing and ending up in "system32\config\systemprofile\"  I'll assume they were using their computer as Administrator or possibly System (but not sure how they did the last) and the data got copied or moved across.  So it is possible this occurred.  But 9 Gb of data?  There must have been a lot of surfing or something involved as System (or Administrator).
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 91

Expert Comment

by:nobus
ID: 39858685
did you test if a scan from a bootable cd also hangs ?
0
 
LVL 9

Expert Comment

by:discgman
ID: 39859406
Here is some more interesting information from microsoft

http://answers.microsoft.com/en-us/ie/forum/ie10-windows_7/explorer-10-downloading-massive-number-of-files/1b51fbf8-9cc2-4ed2-a150-947d7e02bb5f

Lots of reseting IE settings and cleaning out folders.
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 300 total points
ID: 39860040
Interesting.

The article indicates the Alureon rootkit can cause this.  If the original fake security virus was Security Essentials 2010, see https://en.wikipedia.org/wiki/Alureon, that would explain what is happening on this machine.

Have a good read of that Wikipedia article.  You may need to check the MBR on that machine or redo it as a final check.

But again Alureon seems to be the culprit here and the explanation.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39861007
the article also says ". It may be useful to perform an offline scan " as i suggested
but i received no comment on it....
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39914942
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 48

Expert Comment

by:dbrunton
ID: 39914943
Don't delete.  Refund the Asker's poinks and keep.  There is a lot of valuable information in this thread.
0
 

Author Comment

by:dgrrr
ID: 39915295
Sorry all, I'm terrible about keeping up with my EE responses.

I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.  

I also had run TDSSKILLER" in special mode (with items checked as suggested on bleepingcomputer, as well as normal mode).

The other item suggested by Wikipedia for Alureon is Windows Defender Offline. My instinct is not to boether with micrsoft products.. Have any of you tried this tool?

AND OH YEAH - the infection came back this week!  (Weeks after all of the above)

I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)
0
 
LVL 48

Expert Comment

by:dbrunton
ID: 39915316
>>  I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)

Not at the MBR anyway.  Some drivers I think but need more confirmation from others.

>>  I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.

Yeah, so there's still stuff there.  Trouble is nowadays you have to hit the virii with two or three applications to make sure you get everything.

>>  AND OH YEAH - the infection came back this week!

Time to wipe and reinstall.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now