ballgj
-
Posts
20 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by ballgj
-
-
Seems to be doing exactly the same in safe mode and hanging before it gets to stage 1. How long should I leave it?
-
I've left it going for a good hour and it hasn't got beyond the scanning for infected files. No stages are complete, but it appears to be running still, how long should it be left for?
-
I started running combofix and after about 15mins I got a message, saying Freeware implementation of XCACLS has stopped working. Closed this message and combofix seems to still be running, is this a problem?
-
Ok, so RogueKiller doesn't work still. I run as administrator and allow it access but nothing happens after that. It doesn't start.
I'll have a go with ComboFix.
It looks like the DHCP now has to be started manually each time I reboot, even though it is set to start automatically. So there is still something amiss with that.
-
thanks for all your help! it's made a big difference, just realising the tdx.sys was a problem and getting it sorted to get the dhcp up again is great. hopefully we can locate whatever is behind the installation problems on the malware. thanks again. I've checked the scheduler now and it is doing restores once a day and reg backup every 10.
-
i've just run the fss again after the fix and the tdx.sys problem appears to be sorted:
Farbar Service Scanner Version: 09-11-2012
Ran by greg (administrator) on 12-11-2012 at 23:35:55
Running from "C:\Users\greg\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-09-12 23:33] - [2012-08-22 17:16] - 1292144 ____A (Microsoft Corporation) A5EBB8F648000E88B7D9390B514976BF
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 15:19] - [2012-06-02 04:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
-
it seems it did the restore automatically with the last windows update, so that might be working fine - do you expect it to keep more than one?
the error messages I've got have been the same using the inherit.exe as I had previously without it.
i have just run an stc/scannow from the cmd prompt in the hope of fixing the dhcp problem and that worked! so my initial issue is sorted. I'm still concerned that none of the malware checkers will install though - suggests that something is there.
-
unfortunately not- I checked when I made the new restore point this afternoon and there is only one from a few days ago, when the problem was already there.
I've had intermittent problems with connecting to the internet for a few months, but its fine when I define a static ip at home, so it's not been a major issue. only I need to have internet functioning elsewhere now, without the static IP address. having done some reading online it looks like there is a problem with the DHCP client not starting. I was hoping a cleanup would fix it, but it appears more serious now in that I can't get any of the cleanup programs installed!
in future, once I get this sorted, is it sensible to create restore points regularly?
-
I've disabled sophos scanning and no longer get the threat detected.
When I drag the programs on Inherit it says ok, but they still all behave as they have done previously with the same error messages.
-
I get the OK, but when I try to run the files Sophos picks up something and quarantines it. Should I disable Sophos?
-
no luck in safe mode either
-
unfortuantely another error message...
"The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail"
Running it from the extracted folder on the desktop (again extracted on the other machine before transfer). I'll try now in safe mode as well.
-
the mbar.exe still gives the same error message
-
this works. just rebooting. shall I try the mbar.exe again?
-
The registry installed fine, and the system restore point created fine.
I went to extract the mbar.zip archive and it fails on the infected machine - "the archive is either in unknown format or damaged".
But it extracted OK on the other machine, so transferred this and then tried to run from the desktop. Gives this error message:
mbar.exe - Entry Point Not Found
The procedure entry point ??0QVariant@@QAE@ABV0@@Z could not be located in the dynamic link library QtCore4.dll
-
I get the same problem I had with the RogueKiller with the SystemLook, it won't go beyond the allowing access, even if I run in safe mode.
Should I still run the registry file?
-
I tried RogueKiller in safe mode, but still no luck.
FSS ran. Here is the report:
Farbar Service Scanner Version: 09-11-2012
Ran by greg (administrator) on 12-11-2012 at 14:58:16
Running from "C:\Users\greg\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
C:\Windows\system32\Drivers\tcpip.sys
[2012-09-12 23:33] - [2012-08-22 17:16] - 1292144 ____A (Microsoft Corporation) A5EBB8F648000E88B7D9390B514976BF
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 15:19] - [2012-06-02 04:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
-
I've downloaded the RogueKiller and transferred it to the desktop, but when I try and run as an administrator it it doesn't seem to do anything. I get the window to allow it access, but after that nothing.
I've no internet on the infected computer and so downloaded and transferred from another machine
-
I'm concerned I might be infected with something (been having persistant internet connection problems) and so tried to install malwarebytes to check. This gave an error message saying the setup file is corrupt, suggesting I am infected.
I've run the dds and log files are attached if anyone can help me sort the problem.
malwarebytes won't install - am I infected?
in Resolved Malware Removal Logs
Posted
rkill run successfully, but still the same problem with ComboFix hanging MBAR giving the "Entry Point Not Found" error.
Here is the rkill report:
kill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/13/2012 02:22:40 PM in x86 mode.
Windows Version: Windows 7 Enterprise Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\Windows\system32\DRIVERS\o2flash.exe (PID: 336) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* No issues found.
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* No issues found.
Program finished at: 11/13/2012 02:22:58 PM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)