Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection that will not clean successfully


  • This topic is locked This topic is locked
2 replies to this topic

#1 corymk

corymk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 15 June 2012 - 03:41 PM

I have a Windows XP (32-bit) machine with an unknown infection. It has been able to be somewhat contained but not properly disinfected.

I have been cleaning up an infection on a machine. I did not see the original screen of the infection so I don't know what variant it was. I only got to see the symptoms and they were mostly halting local files to be run properly and running lots of weird EXE files from the Application Data folder. The machine started acting better when running ComboFix. If ComboFix is run, the machine will settle down. It does not find anything but it will start working properly.

There are two services for sure that are showing up as unable to be run that are causing problems - Cryptographic Services and DHCP Client. These services will run properly while ComboFix is installed on the machine. If I uninstall ComboFix and reboot, these services will not run or work properly again. These services will not run properly. I forgot to document the error they ran but it has to do with dependencies. There are also some weird Services that start with "%systemroot% at the top of the list. They are not running but I don't know where they are from and if they were a part of ComboFix or the infection. There was a B-Service that showed up that was referencing the the Temporary Internet Files Content.IE5 folder so I now that one is junk and has been disabled as such.

I have gone through and put a trial of AVG Internet Security 2012 on the machine, I have run a System File Checker (sfc /scannow) on the machine, I have used TDSS Killer on the machine, I have run Malwarebytes Anti-Malware on the machine, and I have gone through some other variations of possibilities.

I am trying to think of what my next step should be. I have attached the ComboFix log from the last time where it settles the services down to where they will run properly. I have also attached the latest version of the TDSS Killer log as well. Let me know where you think I can go.

I have been a longtime supporter of what you have for information on this site and I have used your advice quite a few times. I have finally become a member because I have run into a problem now that I have not seen the light on and need some insight as to where to go.

- Cory

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:22 AM

Posted 18 June 2012 - 01:41 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:22 AM

Posted 23 January 2013 - 02:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users