ballgj

rkill run successfully, but still the same problem with ComboFix hanging MBAR giving the "Entry Point Not Found" error. Here is the rkill report: kill 2.4.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2012 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 11/13/2012 02:22:40 PM in x86 mode. Windows Version: Windows 7 Enterprise Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\Windows\system32\DRIVERS\o2flash.exe (PID: 336) [WD-HEUR] 1 proccess terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * No issues found. Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * No issues found. Program finished at: 11/13/2012 02:22:58 PM Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)

Seems to be doing exactly the same in safe mode and hanging before it gets to stage 1. How long should I leave it?

I've left it going for a good hour and it hasn't got beyond the scanning for infected files. No stages are complete, but it appears to be running still, how long should it be left for?

I started running combofix and after about 15mins I got a message, saying Freeware implementation of XCACLS has stopped working. Closed this message and combofix seems to still be running, is this a problem?

Ok, so RogueKiller doesn't work still. I run as administrator and allow it access but nothing happens after that. It doesn't start. I'll have a go with ComboFix. It looks like the DHCP now has to be started manually each time I reboot, even though it is set to start automatically. So there is still something amiss with that.

thanks for all your help! it's made a big difference, just realising the tdx.sys was a problem and getting it sorted to get the dhcp up again is great. hopefully we can locate whatever is behind the installation problems on the malware. thanks again. I've checked the scheduler now and it is doing restores once a day and reg backup every 10.

i've just run the fss again after the fix and the tdx.sys problem appears to be sorted: Farbar Service Scanner Version: 09-11-2012 Ran by greg (administrator) on 12-11-2012 at 23:35:55 Running from "C:\Users\greg\Desktop" Windows 7 Enterprise Service Pack 1 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\system32\nsisvc.dll => MD5 is legit C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit C:\Windows\system32\dhcpcore.dll => MD5 is legit C:\Windows\system32\Drivers\afd.sys => MD5 is legit C:\Windows\system32\Drivers\tdx.sys => MD5 is legit C:\Windows\system32\Drivers\tcpip.sys [2012-09-12 23:33] - [2012-08-22 17:16] - 1292144 ____A (Microsoft Corporation) A5EBB8F648000E88B7D9390B514976BF C:\Windows\system32\dnsrslvr.dll => MD5 is legit C:\Windows\system32\mpssvc.dll => MD5 is legit C:\Windows\system32\bfe.dll => MD5 is legit C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit C:\Windows\system32\SDRSVC.dll => MD5 is legit C:\Windows\system32\vssvc.exe => MD5 is legit C:\Windows\system32\wscsvc.dll => MD5 is legit C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\system32\wuaueng.dll => MD5 is legit C:\Windows\system32\qmgr.dll => MD5 is legit C:\Windows\system32\es.dll => MD5 is legit C:\Windows\system32\cryptsvc.dll [2012-10-10 15:19] - [2012-06-02 04:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\rpcss.dll => MD5 is legit **** End of log ****

it seems it did the restore automatically with the last windows update, so that might be working fine - do you expect it to keep more than one? the error messages I've got have been the same using the inherit.exe as I had previously without it. i have just run an stc/scannow from the cmd prompt in the hope of fixing the dhcp problem and that worked! so my initial issue is sorted. I'm still concerned that none of the malware checkers will install though - suggests that something is there.

unfortunately not- I checked when I made the new restore point this afternoon and there is only one from a few days ago, when the problem was already there. I've had intermittent problems with connecting to the internet for a few months, but its fine when I define a static ip at home, so it's not been a major issue. only I need to have internet functioning elsewhere now, without the static IP address. having done some reading online it looks like there is a problem with the DHCP client not starting. I was hoping a cleanup would fix it, but it appears more serious now in that I can't get any of the cleanup programs installed! in future, once I get this sorted, is it sensible to create restore points regularly?

I've disabled sophos scanning and no longer get the threat detected. When I drag the programs on Inherit it says ok, but they still all behave as they have done previously with the same error messages.

I get the OK, but when I try to run the files Sophos picks up something and quarantines it. Should I disable Sophos?

no luck in safe mode either

unfortuantely another error message... "The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail" Running it from the extracted folder on the desktop (again extracted on the other machine before transfer). I'll try now in safe mode as well.

the mbar.exe still gives the same error message

this works. just rebooting. shall I try the mbar.exe again?