Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix issue with XP??


  • Please log in to reply
11 replies to this topic

#1 mrpyle

mrpyle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 14 June 2012 - 04:02 PM

Just a quick heads up. Not sure if this is known, or has been addressed already. Tried searching the forum here, but didn't come up with anything.

Ran combofix on an xp machine yesterday. Cleaned up one or two bugs. After rebooting, had some issues with windows updates and tcpip. Checked the services in windows and found some problems. In the list of services at the top was this -

@%SystemRoot%\System32\iphlpsvc.dll, -201

@%SystemRoot%\System32\winhttp.dll, -101

@%SystemRoot%\System32\wscsvc.dll, -201

Named just like that. Wuauserv was also defunct. And an added new service called TDX and some WinHttpAutoProxySvc service?? As well as a messed up security center service, wscsvc.

We weren't sure if this was a combofix issue or maybe a result of the prior bugs. Today, we installed xp clean on a new machine, with sp3 and the updates, and ran combofix just to see what happened to the services. Sure enough, it messed up a couple services in windows, with the same above.

Always been a great program to use. Never an issue like this. I hope someone already knows about it. Just thought I'd post to make sure, so it can get fixed in the next release. :)

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:41 PM

Posted 14 June 2012 - 04:03 PM

Thanks for this; I've flagged the developer.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 mrpyle

mrpyle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 14 June 2012 - 04:42 PM

The services added to XP appear to be TDX, IPHLPSVC and WinHttpAutoProxySvc ... and appear to be Windows 7/Vista services which don't belong in XP. Also, it added a WinDefend service and made changes to AFD, WUAUSERV and WSCSVC services to where they no longer worked.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 14 June 2012 - 08:32 PM

We have had several more reports and that information has been passed on to the developer in a private discussion thread so he can investigate the issue.

Update: In the interim, the developer has pulled CF in order to fix the bug...until further notice, it will not be available for download.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:41 PM

Posted 14 June 2012 - 11:28 PM

The issue has been resolved.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 mrpyle

mrpyle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 15 June 2012 - 07:58 AM

cool... thanks guys :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 15 June 2012 - 02:30 PM

We should all thank sUBs for his hard work when such issues arise.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 itsmerowe

itsmerowe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 July 2012 - 01:27 PM

So is there a "official" procedure for reversing these changes (besides System Restore)? The exact same thing happened to me. Glad I stumbled onto this.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 20 July 2012 - 04:36 PM

This issue was reported 6/14/12, that version of ComboFix was pulled from downloading links and the problem was fixed by the developer the following day.

You are replying to a topic over a month old so the current ComboFix version should not have caused the same issue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 itsmerowe

itsmerowe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 23 July 2012 - 03:40 PM

You're right, I am responding to an old post, but it is related to my issue. It took me a month of troubleshooting and searching to finally realize it was Combofix that caused the exact same issues as the OP. If there is a newer thread for this, please direct me. My Combofix log was dated 6-12-2012, so this is within the time of the bad release.

I have reversed most all the changes except for Automatic Updates. I have done a Repair XP install, copied Reg entries, DLLs from good machines, you name it.

So you are saying since the new one is fixed, I should run the new Combofix? I am confused.

If not, it sounds like what you are saying is "Tough luck. You shouldn't have listened to us back in June. Good luck figuring it out yourself."

If that is what I have to do, then I guess I am on my own.

Thanks.

Edited by itsmerowe, 23 July 2012 - 03:40 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 24 July 2012 - 08:30 AM

So you are saying since the new one is fixed, I should run the new Combofix? I am confused.

No. I was saying this was an issue with an older version and was inquiring if you used the current version and it occurred again. If that was the case, we would need to re-advise the developer as it was fixed with version 12-06-14.04.

With the further explanation you provided, it appears that is not the case since I believe you are saying that you used the older version where this problem occurred.

The updated CF should undo the damage if those changes are detected by CF after running it again and rebooting. There was also a mini-fix released if that did not work. However, since you ran ComboFix due to malware infection, the log should be examined before doing anything further.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6. When you have done that, start a new topic and post the required logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. After doing this, please reply back in this thread with a link to the new topic so we can closed this one.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

Note: If no log was created by ComboFix, then ignore this part and just post the other requested logs in your new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Shaggie

Shaggie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 28 November 2012 - 11:33 AM

I ran ComboFix within the past month and had nearly the identical issue.
The DisplayName for several of my services seems to have been removed, and the wscsvc service gives me the following error when trying to open its properties:
---------------------------
Services
---------------------------
Configuration Manager: The specified device instance handle does not correspond to a present device.
---------------------------
OK
---------------------------

The other services with the DisplayName removed are "BITS", "MSSQLSERVER", and "SQLSERVERAGENT", and possibly "Alerter", "Fax", "Messenger, "Themes", and "WebClient"
I am not 100% certain about the last 5 as I do not recall if they had better names before.
FYI I am running XP SP3. I do realize that this is a really old issue, but I thought it would be best to let people know.

Edited by Shaggie, 28 November 2012 - 11:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users