Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix killing network?


  • Please log in to reply
5 replies to this topic

#1 technz

technz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 19 June 2012 - 10:17 PM

Not sure if this is the correct forum but wanted to throw this information out there incase someone is having the same issue. We run combofix to help in removing particularly natsy infections in the past but in the last week it seems to have been killing some registry keys needed to run dhcp, dns, as well as windows updates. Also seems to stop network connections from displaying in network connections dialog.

I thought this problem may have originally been because of a hang over from removing the infection but after running "combofix /uninstall" on a fresh install of Vista SP2 in a virtual machine it still rendered the network unusable. We've been able to remedy by capturing fresh copies of the folling trees and merging them on problem machines.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNetworkRestricted
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalSystemNetworkRestricted
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService
HKLM\SYSTEM\ControlSet001\Services\iphlpsvc\config
HKLM\SYSTEM\ControlSet001\Services\PolicyAgent\Parameters
HKLM\SYSTEM\ControlSet001\Services\tdx
HKLM\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\config
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\tdx
HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Parameters
HKLM\SYSTEM\ControlSet001\Services\wuauserv\

Hoping someone can shed information as why combofix has started doing this. (Had the same experience on a XP SP3 Machine)

edit: It only appears to happen once the /uninstall option is run.

--
technz

Edited by technz, 19 June 2012 - 10:18 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:05 AM

Posted 19 June 2012 - 10:58 PM

Since you ran Combofix....

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 technz

technz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 19 June 2012 - 11:19 PM

Thanks for the generic response. Not looking for help with a specific malware removal, just want some light shed on why Combofix seems to be removing network keys that are quite important to the operation of network connectivity.

A full registry diff from a fresh install of Vista SP2 and Windows XP shows that infact it is deleting these keys on both infected and uninfected machines.

If completely necessary I can recreate the problem in a virtual machine and show you the logs.

The problem has been rectified on all problem machines with replacement of the service keys within the registry but I am still in the dark as to why this problem with combofix has only shown up in the last week or two.

--
technz

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:05 AM

Posted 19 June 2012 - 11:22 PM

Combofix discussion is not allowed in this forum.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 technz

technz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 19 June 2012 - 11:25 PM

Thank you for letting me know. I did not realize.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:05 AM

Posted 19 June 2012 - 11:28 PM

Not a problem :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users