iroc9555
-
Posts
58 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by iroc9555
-
-
Do the latter ----just get the files out of quarantine by either Copy or Move ( fix the embedded spaces and remove the vir ending ) and drop them in the drivers folder
I did. My only concern is that they are only 1 KB in size while the one I misstook for one of the files removed by ComFix is 7 KB. I hope ComboFix did not do anything to them.
Now What ? Clean all tools from my sys ?
Thank again Maurice and I apologize for my questioning and inquisitiveness, and mistakes.
-
Yes I did. I did downloaded the Cfscript.txt to my desktop where I have the ComboFix.exe. I dragged it and dropped it into ComboFix.exe just like the image .gif you attached above. ComboFix was launched, and It asked me if I wanted to upgrade because they have a new version. Here I said no because I was just restoring files. I thought ComboFix was doing its thing, but now you said that it just ran a regular scan so I am as baffled as you are.
I have to go back a make a correction though. The file in my system32\drivers\ is 1028_Dell_DIM_DXP061.mrk. I relized the mistake I made later on, but I couldn't edit the reply and I didn't want to post again. However, I did dragged and dropped the script into ComboFix. That I am sure of.
So, Do I try ComboFix again, or just get the files out of quarantine ( fix the embedded spaces and remove the vir ending ) and drop them in the drivers folder ?
-
Wierd ! I did. The only thing was I did not updgrade ComboFix when it said they have a new version. Also what the heck 1028_DELL_XPS_Dell DXP061.MRK is doing there ( C:\WINDOWS\system32\driver ) if it was removed by Combofix the first run and it did not removed now ?
Do I run Combofix with the restore cfscript again ?
-
Hi Maurice.
Folowed instructions, but only 1 of the files was restored. This one:
1028_DELL_XPS_Dell DXP061.MRK ( there was no space between the name or the dot or the MRK. Good )
I can not find DELL_XPS_Dell DXP061.MRK anywhere in my system.
Attached new log.
Lastly, I cant possibly tell why your pc had the BSOD.
Any db with fixes released before yesterday ? What were those fixes if any ? Otherwise it means that at any time running a scan I can get another BSOD. I am not calling it but.... if we do not know what happened, How can I be sure it will not happens again ?
Thanks Maurice. Awating for new instructions.
-
Sorry for my late response Maurice.
I appreiate it Maurice. I do not know what they are and I could not find any info on them. I could have asked in DeLL forums, but I was lazy about it.
Besides the ComboFix-quarantined-files.txt report, I also attached a copy of the files themselves. You would know what to do with them
Someone else was curious about similar files for another DeLL model three years ago.
I did not bother to send them to VT because the .vir name given by Combofix when they are placed into quarantine might not give a good analysis. May be I am wrong though
So Maurice.. What do you think was the cause of the BSOD ?
I appreciate your helping me with this. Thank you so much Maurice.
-
Thank you Mieke.
Not being detected with db 2014.10.20.6
Apologies for the "sir". Ma'am
-
Hi Maurice.
Not to worry. It was a F/P. Already reported here and fixed with new db update.
https://forums.malwarebytes.org/index.php?/topic/159211-mbdefexe-fp/
At first the name thru me off because the MB ( MBAM ) and the date, I thought it was from MB tool then I realized I had an error doing a database restore with my Creative Player, and a friend hinted me to the right file. Besides I never take action on files detected. I rather research the file and make sure it is not a F/P. If it is for real, the malicious file is there anyway, but if it is a F/P, it can bogged down a program eventhough it is restored.
Ok, I did another scan and it seems everything is fine now. Now, the million dollar question.
What was it ?
The wininit.ini and FF prefs.js deleted by JRT ?
The changes made by ComboFix ? Besides deleting a bunch of temps, which some of them are back, and the DeLL files, and stopping CTFMON.exe fron running automatically on boot. My sys was otherwise clean. No infection. wasn' it ?
BTW. Is there a way to restore those DeLL files ? I do not want to take a chance they are needed for DeLL diagnostic tool or to restore DeLL hidden image.
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061
c:\windows\system32\drivers\DELL_XPS_Dell DXP061Another thing. I do not know if you noticed in the logs for system event viewer that it still reports an error for :
Timeout (30000 ms.) transaction response to the service for MBAMService ( or something for that stile. It is difficult to translate exactly ). Attached report.
But this is happening since MBAM v. 2.0.2. It did not happened in v. 1.75 or older.
I think all is well. Crossing my fingers. Awaiting next instructions.
I thank you again Maurice. Kudos to you
-
You are welcome.
This 40 seg thing about MBAM quarantining files is hard to avoid. MBAM wants to quarantine a file does not matter what.
Thank you sir.
-
Hi Malware proteccion and Threat Scan ( db 2014.10.20.4 ) are detecting:
C:\WINDOWS\MBDEF.exe as Spyware Zbot.VXGen.
It is a Creative Default setting restorer of Sound Blaster Audigy ADVANCED MB
http://www.shouldiremoveit.com/Sound-Blaster-Audigy-ADVANCED-MB-12323-program.aspx
VT analysis:
Thanks.
-
Good morning Maurice.
I ran a Threat Scan which ended without a BSOD
However, it found C:\WINDOWS\MBDEF.exe as Spyware Zbot.VXGen.
I imagined it was from one of the tools I've been running since it showed up in my system the 16th of this month when I downloaded mbam-check. I tried to ignored it to look for advice here and to send it to VT to know more about it, but MBAM quarentined it anyways through Malware Protection when I was looking for its properties to get more info about it.
Now what ?
Many thanks.
-
Ok. I let you know.
What else ? Do I run again a threat scan or you want me to run another tool before we try MBAM ?
-
Attached JRT report.
Sorry for my English. I meant that CTFMON was removed from startup program list. It does not start automatically anymore. It is not in Processes in Task Manager.
Well... I just hope I do not have any use for those DeLL files. I do not have the slightest idea what they were for.
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061
c:\windows\system32\drivers\DELL_XPS_Dell DXP061.MRK files are use for digital imaging in Photografy.
JRT besides deleting my preference for FF, It also deleted wininit.ini. This is the first time I have run JRT that this particular file is found and deleted. Could not find any concrete info on the file. A ot of info on WININIT.EXE but not .ini.
Waiting for more instructions.
Thanks Maurice.
-
Thanks Maurice.
Attached CombFix log.
For some reazon it decided to eliminate CTFMON.exe from start up when booting. Also replaced my original host file ( it has instructions on how to make changes in it ) to plain 127.0.01 LocalHost.
I am concerned it deleted some DeLL folders in System32\drivers. Hope they are not necessary.
After the ComboFix finnished and I rebooted, 10 min later the sys BSOD with:
IRQL_NOT_LESS_OR_EQUAL
0X0000000A (0X415EE84D, 0X000000OC, 0X00000000, 0X805023B3)
No dump though. I rebooted again and now it is behaving fine. May be it did not like to be poked around
I'll wait for you to tell me to try another Threat Scan after you check the logs.
Thanks again for the help.
-
Hi Maurice.
With regards to MBAM update and another scan. Yes. My db is 2014.10.19.5 and I ran others Thread scans after chkdsk and memtest. I also ran a scan in safe mode. All of them ended in BSOD during heuristic scan. Same 0x00000077 but different 4th parameter.
I have Minidump and a full memory dump if you want them.
I located prefs.js I had to zip it for attacment. also attached is minidump. The MEMORY.DMP is to big ( 581 MB )
-
Got it.
It is late here and I've had a tiresome day. Thank you. -
Thank you Firefox.
One question though since I've never use or run WeTranfer. In the second and third image above the link I will choose would be what ? The link of the topic or one given to me by whom ever ask for the dump ?
-
Can you tell me how do I go about it ? I mean. I can not edit the post, and if I reply in the topic, I do not have an option to attach anything. Do I open another help topic or what ?
The minidump is small about 6 KB, but the full dump is 580 MB already zipped. Sorry about my typo in the other topic where I say the DMP is 2 MG. I wanted to say it is 2 GB.
-
Thank you again Ron. I did not know about the 100 posts limitation to edit a post. I do not go about these forums that much because MBAM seldom makes problems for me.
Yes, I already opened a topic in the removal forum section. Just like you adviced me above, about 50 minutes later after reading your answer here and posting my replies to you. BTW I ran another scan and this time I got a full MEMORY DMP. Do you want it ?
Thanks again.
-
Following AdvancedSetup instruction:
https://forums.malwarebytes.org/index.php?/topic/158863-bsod-and-error-during-heuristic-analysis/
Attached new logs after trying to run another Threat scan and getting another BSOD.
I have a full Memory dump this time. Tell me if you need it because it is more than 2 MG size.
Thanks.
-
..... I have WMP 10 which work pretty good ...
Sorry WMP 11.
I can not find a way to edit a post. Is it possible ?
-
Hi AdvancedSetup.
Thank you for answering. First of all I would like to apologize because the minidump I attached is not even from the BSOD mentioned above. I automatically attached it because it was the only dump I had in the folder and I did not see the date from 2 months back. So I wonder why KERNEL_STACK_INPAGE_ERROR did not produce a minidmp or the subsequent BSOD produced a full dump when I set up my system to do so.
Did you noticed all the Error: (10/15/2014 10:22:50 AM) (Source: 0) (EventID: 9) (User: )
Description: \Device\Ide\iaStor0 ? This are created while MBAM is doing the Heuristic analysis.Also I do not see the MBAM CheckResult.txt log among the attached items above. Did I forget to attach it ? I have it though.
One last question. Where did you see that my WMP caused the crash ? I have WMP 10 which work pretty good eventhough I do not run it that often because my main player is VLC so can't imagine why it would create an issue with MBAM.
I'll be looking for help in the removal forum and see what that infection might be. I know I have some old programs that came with my desktop which are not signed, and I have a particular MBR which invokes a hidden DeLL image, but I have not get infected in the past 8 or 9 years. I know.. I know. No one is really safe if surfing the web and security programs are not 100 % sure so I will run any app you ask for.
Thanks, see you again soon.
-
I clean installed v. 2.0.3.1025. ( Deactivated protection module in v. 2.0.2. Uninstalled through Windows and then ran mbam-clean ) Everything was right. Fast start up ( rebooted after install ). Updated without problem. Fast browsing. Got all my settings changed ( activate rootkit analysis, edit schedule scans and updates, etc.. )
Then I ran a Threat scan. It ran fast although I noticed that the blue bar was not advancing that much during the file system objects analysis. Started to do the Heuristic analysis and almost at the end ( it had run during 9 min and more than 270.000 files ) started to lag or freeze, and then BOSD
KERNEL_STACK_INPAGE_ERROR
0X00000077(0X00000001, 0X00000000, 0X00000000, 0XBA50FD24
I have the minidmp
I tried to reproduce it to get a full MEMORY.DMP, but eventhough I got the same BSOD it did not save it and crashed my sistem so badly that to rebooted it I had to go back to a system restore point. It got my C++ runtime and my firewall all bugged down. Well, that was last night. I reinstalled it today and ran again the threat scan to get the full dmp. This time, during the Heuristic analysis, I got a Winlogon error and the system shut down. No Dump.
BTW. v. 2.0.2 worked without problems.
May be my old warhorse can not keep up with the new thecnology. Mi sys my sig.
Attached are the diagnostic logs, Minidump, and an image of the changes that the winlogon error made recorded by Comodo.
I will appreciate any help to solve this issue. Thank you.
-
Thank you. No longer detected.
-
IP 211.29.152.71 detected as malicious. I understand it is part of the members.optusnet.com.au sub-domain. Anything comming from there is being blocked by MBAM.
Thanks.
BSOD during Heuristic scan; Probably infection ?
in Resolved Malware Removal Logs
Posted
Hi Maurice. Good Morning.
Nothing was lost. I did my share of mistakes too.
Attached log for DelFix.
Tomorrow is my next schedule MBAM scan. If I am not around, it ran uneventfully. Otherwise I'll be knocking on your door
Thank you again Maurice. Wish you the best.
DelFix.txt