ShadowPuterDude
-
Posts
82 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by ShadowPuterDude
-
-
Thanks
I must really log in more often.
-
-
As Bruce has pointed out A2AM and MBAM are not the same class of applications.
Now as far as they dint get it. I know from personal experience that the EMSI Software developers do get it, at least the ones I have spoken with at one point or another.
Any speculation, by anyone, about what happened or did not happen between the person recently terminated by EMSI and EMSI management is just that speculation.
The job of a security application can be broken down to 3 things:
1. Prevention (A2AM excels at this)
2. Detection (A2AM has problems with False Positives, as do many other AV/AS/AM applications. Most notably McAfee, a few weeks back a McAffee update was responsible for rendering inoperable quite a few windows servers, some of them were mission critical servers, all over the globe. The McAfee update incorrectly identified several critical Windows system files as malicious and deleted them. In A2AM's defense the false positives are quickly corrected, once EMSI has been notified of the FP.)
3. Mitigation (A2AM fails to remove some of the nastier infections, as do most of the other AV/AS/AM applications, that's if they even detect the infection in the first place. However, A2AM informs the user when it fails to remove a particular infection and refers them to the a-squared support forums, for assistance in removing the malware.)
DISCLAIMER: Other than being an ESMI Software affiliate, and the head of their Malware Removal forum; I have absolutely no financially ties to EMSI Software, and I am not employed by EMSI Software.
As Marcin posted earlier in this thread, he had spoken with Christian and that Christian had properly dealt with the situation. If Marcin is satisfied with how this was handled by EMSI Software, then who are we to demand anything differently.
-
The individual responsible for those postings is no longer an employee of EMSI Software. His employment was terminated upon learning of the postings.
I can't make any further comments, as I have no direct knowledge of what transpired.
-
I'm a little late in seeing this. Thanks everybody.
My daughter showed up at the Fire Department meeting that night with cake and ice cream.
-
It appears that the Visual Basic Scripting Engine is broken on this system. You were able to successfully run ComboFix, twice, which relies on vbs for several of it's functions.
You haven't been able to run anything that calls VB since.
I've had you register the VB runtimes, rebuild and then reinstall WMI/WBEM to no effect.
I believe it is time for a repair install of the operating system.
-
Took me a little while to figure out what the error "(null): 0x80041003" means.
That error code is "WMI: access denied". This indicates that your user account does not have the Remote Enable WMI security permission. Since all members of the local administrators group have this automatically, your account is somehow not being recognized as a member of the local administrators group.
1. From the main Windows Desktop, click on START >> SETTINGS >> CONTROL PANEL
2. Choose ADMINISTRATIVE TOOLS .
3. From the Administrative Tools dialogue, select COMPUTER MANAGEMENT
4. Click on the
-
Copy the contents of the below code box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).
REGEDIT4 [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]"ShowDeskFix"=-"IE7-10"=- [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]"ShowDeskFix"=-"IE7-10"=-
Close Notepad.
Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.
Delete:
C:\Documents and Settings\All Users\Application Data\{DB67A7C2-632D-4A8E-8BB3-5B4814B91B48}
Reboot
Move DSS to your Desktop, that is where it is supposed to be.
Attach fresh logs for:
DSS
ISeeYouXP
-
Looks like Malware is most likely the culprit here. Most of the tools we normally use rely of VB script and WMI to do some of the needed tasks.
Going to have you use a different tool to take a look at the system.
Download Deckard's System Scanner (DSS) and save it to your Desktop.
- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
- Close all other windows before proceeding.
-
Download VB6 SSubTmr Binary.zip (11K) to our Desktop.
Unzip SSubTmr6.dll to C:\WINDOWS\System32
Download VB6 ImageList Control Binary.zip (32K) to our Desktop.
Unzip vbalIml6.ocx to C:\WINDOWS\System32
Download VB6 SGrid 2 Binary.zip (173K) to our Desktop.
Unzip vbalSGrid6.ocx to C:\WINDOWS\System32
Do the following:
Start -> Run
type: cmd.exe
click 'OK'
The command console will open.
Enter the following commands at the command prompt pressing the enter key after every command:
regsvr32 SSubTmr6.dll
regsvr32 vbalIml6.ocx
regsvr32 vbalSGrid6.ocx
exit
The Command Console will close.
Download Dial-a-Fix to our Desktop.
Unzip Dial-a-fix-v0.60.0.24.zip to your Desktop
Open the Dial-a-fix-v0.60.0.24 folder
Double-click Dial-a-fix.exe
Click-on the Tools button, looks like a hammer.
Scroll down and select 'Reset WMI/WBEM'
Click 'GO'
Exit Dial-a-fix
Run ISeeYouXP
If you are still getting errors run Dial-a-fix again.Click-on the Tools button, looks like a hammer.
Scroll down and select 'Reinstall WMI/WBEM'
Click 'GO'
NOTE: You may be prompted for your installation media.
Exit Dial-a-fix
Run ISeeYouXP
-
Do the following:
Start -> Run
type: cmd.exe
click 'OK'
The command console will open.
Enter the following commands at the command prompt pressing the enter key after every command:
regsvr32 vbalgrid.ocx
regsvr32 vbscript.dll
exit
The Command Console will close.
If there are any error messages I need to know that and what they are.
If the dll and activex control registered properly, run ISeeYouXP again.
If ISeeYouXP ran successfully attach that log.
-
Download and install Windows Script 5.7 for Windows XP; and then run ISeeYouXP again.
See if that makes a difference.
-
That log has been edited to remove information that is vital to properly diagnosing the system.
Run ISeeYouXP and attach the log here, unedited. If the log is too large then zip the log and attach it.
Do NOT upload the log to any third-party services.
-
Why do you insist on editing your logs?
Your Runscanner log is missing the following information:
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup)
Your previous HijackThis logs have been edited as well, to remove the Startup information. What are you hiding?
By not providing complete information the individual helping you can not make an accurate assessment and provide a proper solution. Because, they do not have all the information.
Start Runscanner and select Beginner Mode.
Click 'OK'
Click 'Start full scan'
When prompted save the binary .run file to your Desktop as drgill_co.run.
When prompted save the runscanner scan log to your Desktop as drgill_co.log.
Now attach both files in your next reply. DO NOT edit your runscanner log.
-
So are Windows system files.
No, they are not. Windows Systems Files are easily replaced. Windows File Protection does not prevent Malware from replacing Windows System Files with infected copies.
-
The only known weakness in System Restore was with the permissions of the subfolders in the 'System Volume Information' directory. The weakness would allow for and unprivileged user, who had sufficient knowledge, to view the contents of the subfolders.
This had to be done locally, and was fixed in Windows XP SP1.
If you kept seeing infections 'respawning' after reboots, and only disappeared after clearing the restore points; then the Restore Point itself was infected. There is absolutely no Anti-Virus, Anti-Malware, Anti-Spyware application that can clean an infected restore point.
The data store is explicitly protected and the files in the data store can only be manipulated by System Restore.
-
Once again.
Nothing other than System Restore can manipulate the files in the _Restore folder. They are protected and only can be accessed by System Restore.The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.If Malware is executing a System Restore, it will be painfully obvious.
When load points are not removed, it is because something prevented the removal. In other words an active Malware process prevented the removal of the load point, or some protection application prevented it's removal. In either case the Malware respawns at reboot. There have been times that I have instructed to user to just unplug the computer instead of shutting down cleanly. This is rare, that I do this, but it breaks the load point and the Malware doesn't respawn.
-
There is absolutely no way an external program, can manipulate files within the data store. The only way for an infection to come back from a Restore Point is by doing a System Restore using the infected Restore Point.
If a System Restore is being done, it will be obvious to the user.
If an infection is respawning, it is because the user:
A) Failed to follow instructions.
B) A load point was not removed.
C) Unpatched Operating System
D) Old versions of Flash and/or Java in use.
E) The user is doing a System Restore, related to A.
F) The user is surfing and downloading, during the disinfection process.
Any one, or a combination of the above.
-
Unless A system Restore is done from an infected Restore Point, there is no way the infection can be restored from that location.The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.Respawning malware is almost also caused by a load point that was not removed, during disinfection. That is why you should never rely solely on HJT for malware removal.
-
Though many AV/AS/AM applications will detect infected System Restore Points (SRP), they can not clean a SRP.
Quoting MS:
Although some antivirus programs may have the ability to work with files that have been compressed or stored in .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The data store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the antivirus program is unable to remove the virus from the file or files in the data store. The files in the data store are inactive and can be used only by the System Restore feature.The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.The System Restore feature is not designed to detect or scan for virus infections or virus activity. Most computer virus infections seek or attack files with extensions such as .exe or .com. These are file types that the System Restore feature is designed to monitor.
This all go back to the days of Windows ME when SRP was first introduced.
-
Hello, Jean has asked me to have a look here and see if there is something that can be done to bring the system back to an operable state.
Download:
- ISeeYouXP by ShadowPuterDude
Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.
Double-click the ISeeYouXP shortcut to run ISeeYouXP.
Possible Error Messages
- If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
To fix the above error message, choose the download below which is appropriate for your systemC:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.- For Windows XP Pro: download and run: XPproFix
- For Windows XP Home: download and run: XPHomeFix
- For Windows 2000: download and run: W2KFix
Then run ISeeYouXP.bat again and attach the log.
[*]A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem
16 bit MS-DOS Subsystemdrive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.
-or-
16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.
After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.
This log is quite long, as it dumps a lot of data about your system state, file system and registry.
Attach the ISeeYouXP log. It will be on your Desktop.
- If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
-
Very nice. That will standout very nicely in the systray.
-
Hardhead, thanks for the welcome. I'm a few days slow in answering.
-
Hello, kick.
Seen you around.
Saddening News
in General Chat
Posted
Saddened by the news of Matt's passing.
Matt you will be missed.