ShadowPuterDude

Saddened by the news of Matt's passing. Matt you will be missed.

Thanks I must really log in more often.

Blogged IOBit Stealing from Malwarebytes'

As Bruce has pointed out A2AM and MBAM are not the same class of applications. Now as far as they dint get it. I know from personal experience that the EMSI Software developers do get it, at least the ones I have spoken with at one point or another. Any speculation, by anyone, about what happened or did not happen between the person recently terminated by EMSI and EMSI management is just that speculation. The job of a security application can be broken down to 3 things: 1. Prevention (A2AM excels at this) 2. Detection (A2AM has problems with False Positives, as do many other AV/AS/AM applications. Most notably McAfee, a few weeks back a McAffee update was responsible for rendering inoperable quite a few windows servers, some of them were mission critical servers, all over the globe. The McAfee update incorrectly identified several critical Windows system files as malicious and deleted them. In A2AM's defense the false positives are quickly corrected, once EMSI has been notified of the FP.) 3. Mitigation (A2AM fails to remove some of the nastier infections, as do most of the other AV/AS/AM applications, that's if they even detect the infection in the first place. However, A2AM informs the user when it fails to remove a particular infection and refers them to the a-squared support forums, for assistance in removing the malware.) DISCLAIMER: Other than being an ESMI Software affiliate, and the head of their Malware Removal forum; I have absolutely no financially ties to EMSI Software, and I am not employed by EMSI Software. As Marcin posted earlier in this thread, he had spoken with Christian and that Christian had properly dealt with the situation. If Marcin is satisfied with how this was handled by EMSI Software, then who are we to demand anything differently.

The individual responsible for those postings is no longer an employee of EMSI Software. His employment was terminated upon learning of the postings. I can't make any further comments, as I have no direct knowledge of what transpired. http://forum.emsisoft.com/Default.aspx?g=posts&t=5771

I'm a little late in seeing this. Thanks everybody. My daughter showed up at the Fire Department meeting that night with cake and ice cream.

It appears that the Visual Basic Scripting Engine is broken on this system. You were able to successfully run ComboFix, twice, which relies on vbs for several of it's functions. You haven't been able to run anything that calls VB since. I've had you register the VB runtimes, rebuild and then reinstall WMI/WBEM to no effect. I believe it is time for a repair install of the operating system.

Took me a little while to figure out what the error "(null): 0x80041003" means. That error code is "WMI: access denied". This indicates that your user account does not have the Remote Enable WMI security permission. Since all members of the local administrators group have this automatically, your account is somehow not being recognized as a member of the local administrators group. 1. From the main Windows Desktop, click on START >> SETTINGS >> CONTROL PANEL 2. Choose ADMINISTRATIVE TOOLS . 3. From the Administrative Tools dialogue, select COMPUTER MANAGEMENT 4. Click on the

Copy the contents of the below code box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*). REGEDIT4 [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]"ShowDeskFix"=-"IE7-10"=- [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]"ShowDeskFix"=-"IE7-10"=-Close Notepad. Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry. Delete: C:\Documents and Settings\All Users\Application Data\{DB67A7C2-632D-4A8E-8BB3-5B4814B91B48} Reboot Move DSS to your Desktop, that is where it is supposed to be. Attach fresh logs for: DSS ISeeYouXP

Looks like Malware is most likely the culprit here. Most of the tools we normally use rely of VB script and WMI to do some of the needed tasks. Going to have you use a different tool to take a look at the system. Download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Download VB6 SSubTmr Binary.zip (11K) to our Desktop. Unzip SSubTmr6.dll to C:\WINDOWS\System32 Download VB6 ImageList Control Binary.zip (32K) to our Desktop. Unzip vbalIml6.ocx to C:\WINDOWS\System32 Download VB6 SGrid 2 Binary.zip (173K) to our Desktop. Unzip vbalSGrid6.ocx to C:\WINDOWS\System32 Do the following: Start -> Run type: cmd.exe click 'OK' The command console will open. Enter the following commands at the command prompt pressing the enter key after every command: regsvr32 SSubTmr6.dll regsvr32 vbalIml6.ocx regsvr32 vbalSGrid6.ocx exit The Command Console will close. Download Dial-a-Fix to our Desktop. Unzip Dial-a-fix-v0.60.0.24.zip to your Desktop Open the Dial-a-fix-v0.60.0.24 folder Double-click Dial-a-fix.exe Click-on the Tools button, looks like a hammer. Scroll down and select 'Reset WMI/WBEM' Click 'GO' Exit Dial-a-fix Run ISeeYouXP If you are still getting errors run Dial-a-fix again.Click-on the Tools button, looks like a hammer. Scroll down and select 'Reinstall WMI/WBEM' Click 'GO' NOTE: You may be prompted for your installation media. Exit Dial-a-fix Run ISeeYouXP

Do the following: Start -> Run type: cmd.exe click 'OK' The command console will open. Enter the following commands at the command prompt pressing the enter key after every command: regsvr32 vbalgrid.ocx regsvr32 vbscript.dll exit The Command Console will close. If there are any error messages I need to know that and what they are. If the dll and activex control registered properly, run ISeeYouXP again. If ISeeYouXP ran successfully attach that log.

Download and install Windows Script 5.7 for Windows XP; and then run ISeeYouXP again. See if that makes a difference.

That log has been edited to remove information that is vital to properly diagnosing the system. Run ISeeYouXP and attach the log here, unedited. If the log is too large then zip the log and attach it. Do NOT upload the log to any third-party services.

Why do you insist on editing your logs? Your Runscanner log is missing the following information: 002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) 003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) 005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup) Your previous HijackThis logs have been edited as well, to remove the Startup information. What are you hiding? By not providing complete information the individual helping you can not make an accurate assessment and provide a proper solution. Because, they do not have all the information. Start Runscanner and select Beginner Mode. Click 'OK' Click 'Start full scan' When prompted save the binary .run file to your Desktop as drgill_co.run. When prompted save the runscanner scan log to your Desktop as drgill_co.log. Now attach both files in your next reply. DO NOT edit your runscanner log.

No, they are not. Windows Systems Files are easily replaced. Windows File Protection does not prevent Malware from replacing Windows System Files with infected copies.

The only known weakness in System Restore was with the permissions of the subfolders in the 'System Volume Information' directory. The weakness would allow for and unprivileged user, who had sufficient knowledge, to view the contents of the subfolders. This had to be done locally, and was fixed in Windows XP SP1. If you kept seeing infections 'respawning' after reboots, and only disappeared after clearing the restore points; then the Restore Point itself was infected. There is absolutely no Anti-Virus, Anti-Malware, Anti-Spyware application that can clean an infected restore point. The data store is explicitly protected and the files in the data store can only be manipulated by System Restore.

Once again. Nothing other than System Restore can manipulate the files in the _Restore folder. They are protected and only can be accessed by System Restore.If Malware is executing a System Restore, it will be painfully obvious. When load points are not removed, it is because something prevented the removal. In other words an active Malware process prevented the removal of the load point, or some protection application prevented it's removal. In either case the Malware respawns at reboot. There have been times that I have instructed to user to just unplug the computer instead of shutting down cleanly. This is rare, that I do this, but it breaks the load point and the Malware doesn't respawn.

There is absolutely no way an external program, can manipulate files within the data store. The only way for an infection to come back from a Restore Point is by doing a System Restore using the infected Restore Point. If a System Restore is being done, it will be obvious to the user. If an infection is respawning, it is because the user: A) Failed to follow instructions. B) A load point was not removed. C) Unpatched Operating System D) Old versions of Flash and/or Java in use. E) The user is doing a System Restore, related to A. F) The user is surfing and downloading, during the disinfection process. Any one, or a combination of the above.

Unless A system Restore is done from an infected Restore Point, there is no way the infection can be restored from that location.Respawning malware is almost also caused by a load point that was not removed, during disinfection. That is why you should never rely solely on HJT for malware removal.

Though many AV/AS/AM applications will detect infected System Restore Points (SRP), they can not clean a SRP. Quoting MS: This all go back to the days of Windows ME when SRP was first introduced.

Hello, Jean has asked me to have a look here and see if there is something that can be done to bring the system back to an operable state. Download: - ISeeYouXP by ShadowPuterDude Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop. Double-click the ISeeYouXP shortcut to run ISeeYouXP. Possible Error Messages If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS To fix the above error message, choose the download below which is appropriate for your system For Windows XP Pro: download and run: XPproFixFor Windows XP Home: download and run: XPHomeFix For Windows 2000: download and run: W2KFix Then run ISeeYouXP.bat again and attach the log. [*]A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem After attempting to fix the above errors, run ISeeYouXP.bat and attach the log. This log is quite long, as it dumps a lot of data about your system state, file system and registry. Attach the ISeeYouXP log. It will be on your Desktop.

Very nice. That will standout very nicely in the systray.

Hardhead, thanks for the welcome. I'm a few days slow in answering.

Hello, kick. Seen you around.