malwarebytes won't install - am I infected?

[ballgj]

I'm concerned I might be infected with something (been having persistant internet connection problems) and so tried to install malwarebytes to check. This gave an error message saying the setup file is corrupt, suggesting I am infected.

I've run the dds and log files are attached if anyone can help me sort the problem.

dds.txt

attach.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

[ballgj]

I've downloaded the RogueKiller and transferred it to the desktop, but when I try and run as an administrator it it doesn't seem to do anything. I get the window to allow it access, but after that nothing.

I've no internet on the infected computer and so downloaded and transferred from another machine

[MrCharlie]

Please try it in safe mode.

also................

Please download Farbar Service Scanner and run it on the computer with the issue.

• 
  
• Make sure the following options are checked:
  • 
    
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    
  • Windows Defender
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

MrC

[ballgj]

I tried RogueKiller in safe mode, but still no luck.

FSS ran. Here is the report:

Farbar Service Scanner Version: 09-11-2012

Ran by greg (administrator) on 12-11-2012 at 14:58:16

Running from "C:\Users\greg\Desktop"

Windows 7 Enterprise Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Dnscache Service is not running. Checking service configuration:

The start type of Dnscache service is OK.

The ImagePath of Dnscache service is OK.

The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\Drivers\tcpip.sys

[2012-09-12 23:33] - [2012-08-22 17:16] - 1292144 ____A (Microsoft Corporation) A5EBB8F648000E88B7D9390B514976BF

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-10-10 15:19] - [2012-06-02 04:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[MrCharlie]

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :Filefind
  tdx.sys
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download this reg file to your desktop, double click on it and allow it to merge into the registry:

http://download.blee...vices/7/tdx.reg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MrC

[ballgj]

I get the same problem I had with the RogueKiller with the SystemLook, it won't go beyond the allowing access, even if I run in safe mode.

Should I still run the registry file?

[MrCharlie]

Yes, and see if you can do this:

Please create a new system restore point before running Malwarebytes Anti-Malware.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

MrC

[ballgj]

The registry installed fine, and the system restore point created fine.

I went to extract the mbar.zip archive and it fails on the infected machine - "the archive is either in unknown format or damaged".

But it extracted OK on the other machine, so transferred this and then tried to run from the desktop. Gives this error message:

mbar.exe - Entry Point Not Found

The procedure entry point ??0QVariant@@QAE@ABV0@@Z could not be located in the dynamic link library QtCore4.dll

[MrCharlie]

Can you do this:

Please run the 'fixdamage' tool in the Malwarebytes Anti-Rootkit folder and reboot.

MrC

[ballgj]

this works. just rebooting. shall I try the mbar.exe again?

[ballgj]

the mbar.exe still gives the same error message

[MrCharlie]

Please download on the Desktop the following application: Windows Repair

Next, extract and launch the Repair_Windows.exe

Click on Start repairs tab and then click on Start

Check mark following options alone

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Remove Policies Set By Infections

Checkmark Restart System When Finished option

click the Start button

System should restart after repair

Let me know.....MrC

[ballgj]

unfortuantely another error message...

"The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail"

Running it from the extracted folder on the desktop (again extracted on the other machine before transfer). I'll try now in safe mode as well.

[ballgj]

no luck in safe mode either

[MrCharlie]

Download inherit.exe from the link below to your desktop:

http://download.blee...xes/Inherit.exe

Drag RogueKiller.exe on top of it and let go > wait for it to say OK

Now try to run it, you can do this with any file to see if it will now run, MrC

[ballgj]

I get the OK, but when I try to run the files Sophos picks up something and quarantines it. Should I disable Sophos?

[MrCharlie]

Yes, MrC

[ballgj]

I've disabled sophos scanning and no longer get the threat detected.

When I drag the programs on Inherit it says ok, but they still all behave as they have done previously with the same error messages.

[MrCharlie]

Do you have a good system restore point before the problem appeared?

MrC

[ballgj]

unfortunately not- I checked when I made the new restore point this afternoon and there is only one from a few days ago, when the problem was already there.

I've had intermittent problems with connecting to the internet for a few months, but its fine when I define a static ip at home, so it's not been a major issue. only I need to have internet functioning elsewhere now, without the static IP address. having done some reading online it looks like there is a problem with the DHCP client not starting. I was hoping a cleanup would fix it, but it appears more serious now in that I can't get any of the cleanup programs installed!

in future, once I get this sorted, is it sensible to create restore points regularly?

[MrCharlie]

in future, once I get this sorted, is it sensible to create restore points regularly?

Yes you should have it running so it automatically creates restore points, also you should keep the registry backed up.

What was the latest error message or messages you received ? MrC

[ballgj]

it seems it did the restore automatically with the last windows update, so that might be working fine - do you expect it to keep more than one?

the error messages I've got have been the same using the inherit.exe as I had previously without it.

i have just run an stc/scannow from the cmd prompt in the hope of fixing the dhcp problem and that worked! so my initial issue is sorted. I'm still concerned that none of the malware checkers will install though - suggests that something is there.

[ballgj]

i've just run the fss again after the fix and the tdx.sys problem appears to be sorted:

Farbar Service Scanner Version: 09-11-2012

Ran by greg (administrator) on 12-11-2012 at 23:35:55

Running from "C:\Users\greg\Desktop"

Windows 7 Enterprise Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys

[2012-09-12 23:33] - [2012-08-22 17:16] - 1292144 ____A (Microsoft Corporation) A5EBB8F648000E88B7D9390B514976BF

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-10-10 15:19] - [2012-06-02 04:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[MrCharlie]

OK, it's dinner time for me. I'll get back to you asap....MrC