Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Old problem, new twist


  • This topic is locked This topic is locked
13 replies to this topic

#1 virgilzz

virgilzz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 17 May 2010 - 01:07 AM

Hello esteemed gurus,

I have an old issue, but with a new twist. Under XP SP3, msconfig.exe refuses to run and this
after a combofix scan. I have tried in vain to capture its run behavior with Process Analyzer,
WinDbg, this thing behaves like a ghost (it starts and leaves without a trace even in Event Viewer).
Is there any way to figure out what is happening when running this executable?

Thanks,

virgilzz

Edit: Moved topic from XP to the more appropriate forum, at the request of Malware Removal Team Member request. ~ Animal

BC AdBot (Login to Remove)

 


#2 virgilzz

virgilzz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 17 May 2010 - 01:49 AM

OK, I discovered Process Monitor in the mean time. I am attaching a file with the events captured while running msconfig.exe . There are several NAME NOT FOUND and BUFFER OVERLOAD, but I am unsure which causes the
ghost behavior. Any suggestions?

Thanks,

virgilzz

Attached Files



#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:04 AM

Posted 17 May 2010 - 11:41 AM

QUOTE
msconfig.exe refuses to run and this after a combofix scan

You shouldn't be running Combofix without supervision.
I suggest, you start new topic in "Am I Infected?" forum.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 virgilzz

virgilzz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 17 May 2010 - 10:17 PM

Thank you for your reply and suggestion, but I was hoping that there are people with a detailed knowledge of XP available to answer a pretty specific question. For all practical purposes I can humbly provide the answer to the question "Am I Infected?" myself: no. I suspect some registry entries got corrupted, as a result of the combofix scan (which most likely justifies your first statement :-).

Edited by virgilzz, 17 May 2010 - 10:22 PM.


#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:04 AM

Posted 17 May 2010 - 10:28 PM

I'll notify malware people about your question/problem. Hold on.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:07:04 AM

Posted 17 May 2010 - 10:30 PM

With regards to ComboFix we have a standing guideline that states:
QUOTE
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


Which is in a banner at the top of the Am I infected? What do I do? forum.

This is the reason for the reply regarding ComboFix was given. I will see if I can find someone who can respond to your issue. Please be patient.


The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 AM

Posted 17 May 2010 - 11:13 PM

Hello.

I'll be requesting that this issue be shifted into the logs forum so we can take a better look at what went wrong.

Please post the ComboFix log for my analysis. It can be found at C:\ComboFix.txt

***************************************************

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link--> Virustotal

When the VirusTotal page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

Please post back the URL of the results page for each file in your next post.

If VirusTotal is busy, try the same at Jotti

~Blade


In your next reply, please include the following:
ComboFix Log
VirusTotal/Jotti results

Edited by Blade Zephon, 17 May 2010 - 11:23 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 virgilzz

virgilzz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 May 2010 - 12:13 AM

I'm afraid there is a slight misunderstanding, the log file I had posted was from Process Monitor, which shows the registry/thread activity spawned by msconfig.exe during its fleeting execution.
In any event, I will post the logs you requested once I get home.

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 AM

Posted 18 May 2010 - 05:55 AM

Okay, I'll keep a lookout for them

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 virgilzz

virgilzz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 May 2010 - 09:12 AM

Thank you for your help. Here are the logs from ComboFix and jotti. One note, ComboFix complained about COMODO being active despite running it in Safe Mode, and after I killed the COMODO process shown in Process Explorer.

Attached Files



#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 AM

Posted 19 May 2010 - 05:46 PM

Hello virgilzz

Please navigate to and double click on the following file.

C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe

If you are not prompted to reboot the machine, please do so.

Afterwards. . . please check to see if msconfig.exe is able to properly execute.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 virgilzz

virgilzz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 20 May 2010 - 02:18 AM

Yeah, I was afraid you gonna ask that... Of course the restore doesn't do anything, because it is a copy of the already damaged hive. Before asking here for help, I had already uninstalled combofix, and then I noticed the msconfig behavior. Moreover I tried various things myself, such as copying the entire pchealth folder from a working xp and a reinstallation of the SP3 update, which did zilch to fix the problem.
Then I had the brilliant, but tardive idea to ask more knowledgeable people. When you asked me for the log, I should have mentioned that I had already uninstalled combofix, but I overlooked that.
In my unsolicited opinion, there are two solutions for this problem:
a) full OS reinstall (which I dread, but it is certain to solve the issue)
b) finding a way to restore the registry keys associated with msconfig (if that indeed is the real issue), but this is beyond my current level of expertise (I am open to suggestions though, e.g. how to extract the keys from a working
system, etc.)
If your decision tree for solving computer problems has other action arc applicable to this issue, kindly let me know.

Cheers,
virgilzz

Edited by virgilzz, 20 May 2010 - 02:20 AM.


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 AM

Posted 22 May 2010 - 12:57 PM

Hello virgilzz

my apologies for the delay.

Unfortunately if you've uninstalled ComboFix there is very little that can be done, and our chances of identifying the cause of the issue are extremely slim. This applies especially in this case, where it is unsure precisely where the problem lies. The registry is a vast entity; scouring its depths for an unknown change that may or may not be present is neither practical nor time-efficient. The most reasonable path at this point is to reinstall the OS.

For the benefit of both you and others who may read this thread, please note the following regarding ComboFix.

ComboFix (CF for short) is intended by its creator to be "used under the guidance and supervision of an expert", NOT for personal, unsupervised use. Please read Combofix's Disclaimer. When CF is run without trained assistance, it can no longer be considered a "safe" tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You may find this topic to be helpful - ComboFix usage, Questions, Help? - Look here

You may have unfortunately learned firsthand why this warning is posted so often on the boards here. Whether ComboFix was directly responsible for this or not, running it results in system changes that, while beneficial to the cleaning of an infected machine, can prove problematic in other cases. When run with the assistance of a specialist. . . these issues can be pinpointed and fixed during a cleaning. Once a fix is complete though, recovery options are extremely limited.

If you have any further questions, please feel free to let me know. smile.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 AM

Posted 01 June 2010 - 06:28 PM

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users