Is one folder causing antimalware scanners to hang / fail?

On a Windows 7 PC infected with a fake security virus, I was able to get into safe mode. But (1) rkill (which I had renamed) kept freezing / stopping at the same point (checking the firewall), (2) combofix's windows would just disappear without running the scan, and (3) TFC by Oldtimer would get to a certain point and seem to get stuck forever (at "windows temp files").  Based on what I read online, I didn't bother letting TFC run more than 30 mins.

I ran a bunch of other stuff (Kaspersky Rescue Disk, HitmanPro, Adwcleaner, Roguekiller, MBAR, etc), and then I returned to Normal Mode, there was no further virus activity.  HOWEVER, those three programs (rkill, combofix & TFC) froze / failed to finish.

I scheduled a scandisk ("chkdsk /r") & rebooted, but it seemed to complete way too fast (it took 1 second to say, "volume clean"), so I ran it ScanDisk from a boot disk (Hiren's miniXP). Then I was able to run Scandisk normally (it ran all 5 stages).  But the 3 above hanging issues persisted.

And as a weird side-note, I noticed that if I ran combofix, and let it's windows disappear, and then I ran HitmanPro, the combofix Autoscan window would appear and run alongside Hitmanpro. Combofix completed and fixed some stuff. But the 3 problems persisted.  


Then I noticed that HitmanPro was spending a lot of time scanning this folder:
 "c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files...."

This folder had about 9gb in it. When I tried to delete this folder, it was still executing 30 minutes later. So I let the "deleting folder" window run over night. In the mornng, the folder was gone, and ALL THREE of the above problems were gone (rkill, TFC & combofix all ran normally now)

So I'm guessing there were two problems - (1) a virus, and (2) a folder with a very long path inside it (or something funky).
____
My questions are:
(1) Is it likely that that folder or something inside it was causing the 3 problems?
(2) How would that work?
(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

thx!
dgrrrAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
dbruntonConnect With a Mentor Commented:
>>  (1) Is it likely that that folder or something inside it was causing the 3 problems?

Quite possible.

(2) How would that work?

Suggestions only.  

Could be the applications concerned running out of memory.  If they required pieces of memory to handle each file in the folder and weren't releasing memory back to the OS when finished with the file then the OS could eventually run out of free memory.

Or a corrupt file name or corrupt file they couldn't handle but the delete process could handle OK.

Remember these are suggestion.  Other experts will probably chip in with others.

(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?

You've recognized some symptoms and can use that knowledge in the future.  Very nice deducing there.  Cleaning out temp folders is a good way in helping curing virus problems and helping the scanning process.  %APPDATA% is a common place for virii to hide.
0
 
discgmanCommented:
I would think the files you deleted were temperary internet files, which would have housed some of the virus/malware that was infecting your pc. Certain types of malware, especially the bad ones, can prevent combofix and other anti malware products from scanning or running at all. You were lucky to be able to delete those particular files, as they could have continued to wreak havoc on your computer. Here is microsoft article on cleaning up the files and adjusting the size of storage.

http://support.microsoft.com/kb/260897
0
 
dgrrrAuthor Commented:
I often clean out temp folders, but I've never gone to:
   ...system32\config\systemprofile
because when I saw it, I assumed it was used by some 3rd party registry backup program (a la erunt).

Is that normally a common place for temp files to go? What program or event puts files there?  Google says its a backup of the local user...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
nobusCommented:
blind link alert ??    :-))

in such heavily infected systems, i do 2 things :
1-i scan from an updated boot cd, like kaspersky, or AV or microsoft offline defender:
http://windows.microsoft.com/nl-be/windows/what-is-windows-defender-offline

2-if this does not help much, i go for a fresh install, after backup; it saves time in the end
0
 
dgrrrAuthor Commented:
"It is the profile directory for the system user account, which is the user running the root IIS process host instance"

Refs to ISS notwithstanding, I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

And (forgive my ignorance) I'm assuming that a "profile directory" is the same as a "user account directory" (aka User Account Profile Directory?).

But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?
0
 
dbruntonCommented:
No need to plead ignorance.  I misread your question and assumed the %APPDATA% directory was in the normal place.  In this case it isn't.

>>  I'm guessing that the "system user account" runs essential windows processes and records global system settings regardless of which user is logged in.  And for some reason Windows 7 puts under the registry hive file folder instead of C:\Users\.

Googling indicates this.  Also see later.

>>  "user account directory" (aka User Account Profile Directory?).

Looks like it.  I have problems with Microsoft terminology and documents.  The eyes go glassy and after I have read it I can't remember it.  Like there was no information there.  I can find information on the System User Account for Windows XP but little about it for Windows Vista/7.  For XP it is very similar to Admin account but slightly more powerful in that it runs essential services.

>>  But why would the "system user account" download a bunch of temporary internet files?  Does it COPY "content.ie5" from the User folders?

Using Google I can find examples of users having problems after updates with their desktops going missing and ending up in "system32\config\systemprofile\"  I'll assume they were using their computer as Administrator or possibly System (but not sure how they did the last) and the data got copied or moved across.  So it is possible this occurred.  But 9 Gb of data?  There must have been a lot of surfing or something involved as System (or Administrator).
0
 
nobusCommented:
did you test if a scan from a bootable cd also hangs ?
0
 
discgmanCommented:
Here is some more interesting information from microsoft

http://answers.microsoft.com/en-us/ie/forum/ie10-windows_7/explorer-10-downloading-massive-number-of-files/1b51fbf8-9cc2-4ed2-a150-947d7e02bb5f

Lots of reseting IE settings and cleaning out folders.
0
 
dbruntonConnect With a Mentor Commented:
Interesting.

The article indicates the Alureon rootkit can cause this.  If the original fake security virus was Security Essentials 2010, see https://en.wikipedia.org/wiki/Alureon, that would explain what is happening on this machine.

Have a good read of that Wikipedia article.  You may need to check the MBR on that machine or redo it as a final check.

But again Alureon seems to be the culprit here and the explanation.
0
 
nobusCommented:
the article also says ". It may be useful to perform an offline scan " as i suggested
but i received no comment on it....
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
dbruntonCommented:
Don't delete.  Refund the Asker's poinks and keep.  There is a lot of valuable information in this thread.
0
 
dgrrrAuthor Commented:
Sorry all, I'm terrible about keeping up with my EE responses.

I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.  

I also had run TDSSKILLER" in special mode (with items checked as suggested on bleepingcomputer, as well as normal mode).

The other item suggested by Wikipedia for Alureon is Windows Defender Offline. My instinct is not to boether with micrsoft products.. Have any of you tried this tool?

AND OH YEAH - the infection came back this week!  (Weeks after all of the above)

I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)
0
 
dbruntonCommented:
>>  I'm guessing that (in general) antimalware tools that run from within windows can't get at viruses in the MBR? (Or certain drivers?)

Not at the MBR anyway.  Some drivers I think but need more confirmation from others.

>>  I DID run a scan from a freshly updated Kaspersky Rescue Disk , and it did remove some threats (I think they were labelled "trojans"). But the hanging of programs continued AFTER the Kaspersky boot disk scan.

Yeah, so there's still stuff there.  Trouble is nowadays you have to hit the virii with two or three applications to make sure you get everything.

>>  AND OH YEAH - the infection came back this week!

Time to wipe and reinstall.
0
All Courses

From novice to tech pro — start learning today.