TechSpot

[A] Major probs. Do I need to blow it out?

Inactive
By Mike Shears
Jan 22, 2013
  1. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    Disregard Comodo warning.
     
  2. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    During prescan RK tells me it is dated and wants me to DL from the website. I say es and it brings me to where I DLd from not 5 minutes ago. And when I select delete after running the scan, it tells me the prog crashed. renmaed it winlogon Reran and still wanted me to DL what I just DLed. and also crashed. Now For laughs I deleted it from teh desktop and DL it again. Crashed again after starting deletetion. It crashed again when trying to delete.
    BUT I copied the report this time before trying to delete.

    RogueKiller V8.4.4 [Feb 1 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : Puffin [Admin rights]
    Mode : Scan -- Date : 02/02/2013 19:38:43
    | ARK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\RunOnce : Z1 (cmd /c "C:\Users\Jeanne\Desktop\mbar\mbar\mbar.exe" /cleanup /s) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\RunOnce : *D7 (cmd /c start "" "C:\Users\Jeanne\AppData\Local\Temp\Temp1_D7.zip\D7.exe") -> FOUND
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ Extern Hives: ¤¤¤
    -> E:\windows\system32\config\SOFTWARE

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD50 00AAKX-001CA SCSI Disk Device +++++
    --- User ---
    [MBR] 1e850b1a2a4b95f48546c2e2dd51801e
    [BSP] b1eddfe3e4a458b3cc37cdde75ccdb1e : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive1: SAMSUNG SP2504C SCSI Disk Device +++++
    --- User ---
    [MBR] 8b5b659faa81e45c42691f1b52e1dc96
    [BSP] 7d4755e7c820a24a8f2162a6ed0543bc : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 228114 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[4]_S_02022013_02d1938.txt >>
    RKreport[1]_S_02022013_02d1855.txt ; RKreport[2]_S_02022013_02d1902.txt ; RKreport[3]_S_02022013_02d1912.txt ; RKreport[4]_S_02022013_02d1938.txt
     
  3. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  4. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Ok I'll have to do this tomorrow. Thanks for your time. I greatly appreciate the help.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,035   +255

  6. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Ok let combofix run. for about 4 hrs. When I came back to the machine. It had a BSOD. I booted into safemode and ran rkll then I ran combofix. 18 hours later when I came back to the machine combofix is still @ the screen where it tells you it may 10 ten minutes or for badly infected machines,scan time may easily double.
    Here is the RKILL log:
    ======================================================
    Rkill 2.4.6 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 02/03/2013 04:39:13 PM in x86 mode.
    Windows Version: Windows Vista (TM) Home Premium Service Pack 2

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * COM+ Event System (EventSystem) is not Running.
    Startup Type set to: Automatic

    * Windows Defender (WinDefend) is not Running.
    Startup Type set to: Manual

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Windows Update (AFD) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 localhost
    ::1 localhost

    Program finished at: 02/03/2013 04:39:24 PM
    Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)
     
  7. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Here is the Critical event from Event viewer
    Log Name: System
    Source: Microsoft-Windows-Kernel-Power
    Date: 2/3/2013 4:30:19 PM
    Event ID: 41
    Task Category: None
    Level: Critical
    Keywords: (2)
    User: SYSTEM
    Computer: Jeanne-PC
    Description:
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331c3b3a-2005-44c2-ac5e-77220c37d6b4}" />
    <EventID>41</EventID>
    <Version>0</Version>
    <Level>1</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000002</Keywords>
    <TimeCreated SystemTime="2013-02-03T21:30:19.314Z" />
    <EventRecordID>109511</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="8" />
    <Channel>System</Channel>
    <Computer>Jeanne-PC</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="BugcheckCode">159</Data>
    <Data Name="BugcheckParameter">0x3</Data>
    <Data Name="BugcheckParameter">0x85f2e888</Data>
    <Data Name="BugcheckParameter">0x86a25770</Data>
    <Data Name="BugcheckParameter">0x859ef5c8</Data>
    </EventData>
    </Event>
     
  8. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Also from Event viewer


    Log Name: Application
    Source: ESENT
    Date: 2/4/2013 12:20:05 PM
    Event ID: 623
    Task Category: Transaction Manager
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Jeanne-PC
    Description:
    wuaueng.dll (1244) SUS20ClientDataStore: The version store for this instance (0) has reached its maximum size of 8Mb. It is likely that a long-running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until the long-running transaction has been completely committed or rolled back.
    Possible long-running transaction:
    SessionId: 0x01590320
    Session-context: 0x00000000
    Session-context ThreadId: 0x00000F10
    Cleanup: 1
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="ESENT" />
    <EventID Qualifiers="0">623</EventID>
    <Level>2</Level>
    <Task>14</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-04T17:20:05.000Z" />
    <EventRecordID>9416</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXXXX-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>wuaueng.dll</Data>
    <Data>1244</Data>
    <Data>SUS20ClientDataStore: </Data>
    <Data>0</Data>
    <Data>8</Data>
    <Data>0x01590320</Data>
    <Data>0x00000000</Data>
    <Data>0x00000F10</Data>
    <Data>1</Data>
    </EventData>
    </Event>
     
  9. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Finally


    Event Viewer
    Log Name: Application
    Source: Microsoft-Windows-EventSystem
    Date: 2/3/2013 4:31:14 PM
    Event ID: 4609
    Task Category: Event System
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Jeanne-PC
    Description:
    The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8fb497561}" EventSourceName="EventSystem" />
    <EventID Qualifiers="49152">4609</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-03T21:31:14.000Z" />
    <EventRecordID>9389</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Jeanne-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp</Data>
    <Data Name="param2">45</Data>
    <Data Name="param3">8007043c</Data>
    </EventData>
    </Event>
     
  10. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Also the Avast service is disabled and attempts to change that status whether setting to automatic or manual give access denied errors. And in either state. Start is grayed out.
     
  11. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
     
  12. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Says Farbar is designed to diagnose and fix boot issues. I don't think I am having any of those.
    Also, it would be immensly appreciated if you could give me an idea about what you think is going on.
    I'm probably looking at doing this this comming weekend.
     
  13. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    I'm not sure yet what's going on so I want to take a look at your computer from the outside.
    That's why I need FRST log.
     
  14. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Ok, but what do I tell the user. I have been telling them it is probably a rootkit.
     
  15. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    I can't comment without seeing FRST log.
    FRST is just a scanner. It doesn't make any changes until I ask it to do so.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    Still with me?
     
  17. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    I haven't abandoned this. Just delayed till this comming WE by the snow storm
     
  18. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    Keep me posted.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    Still with me?
     
  20. Mike Shears

    Mike Shears TS Rookie Topic Starter Posts: 32

    Ok I did not get a chance to try this this past WE due to scheduling issues. Also I did get some advice to run chkdsk /f/ r then sfc.exe to find and repair any file corruption. I did get an opportunity to start that, but have not analysed the log to see what needs
    replacement. That and running the app you recomended will have to wait till this comming Saturday.. Hopefully, I will have results for you then. TX
     
  21. Broni

    Broni Malware Annihilator Posts: 47,035   +255

  22. Broni

    Broni Malware Annihilator Posts: 47,035   +255

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.