Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleanup after running CF on my own


  • This topic is locked This topic is locked
39 replies to this topic

#16 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 17 September 2012 - 12:16 PM

erdnt.exe is behaving strangely. After a few warning, I got this:

---------------------------
Warning!
---------------------------
Error restoring
C:\Windows\erdnt\Hiv-backup\SOFTWARE
to
C:\Windows\System32\config\SOFTWARE !

Continue with the next file?
---------------------------
Yes No
---------------------------

I will continue, because first I made a backup of the windows partition (and I pray erdnt will not touch the other partitions), then report back... Hold your thumbs!

BC AdBot (Login to Remove)

 


#17 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 17 September 2012 - 04:58 PM

I ran erdnt.exe.

Some settings are still missing, I'll fix them manually.

Can I unistall the remains of ComboFix?

#18 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 17 September 2012 - 05:02 PM

PS: ComboFix put this into the hosts file:
127.0.0.1 localhost


This is wrong for Windows 7, I quote:

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost

Edited by David Balažic, 17 September 2012 - 05:02 PM.


#19 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 17 September 2012 - 05:42 PM

Hi again,

Can I unistall the remains of ComboFix?

I will give instructions on how to do that soon, you may leave it there for now.

The hosts file does get changed, but it gets set to a default. Could you please show me the entire contents of the hosts file? You can always add in any entries you would like to add to the list currently, but save that for after uninstalling Combofix when we get to that.

==========

WARNING

I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

==========

Are your files back in their correct places now? Any other issues I should know about?

bloopie

#20 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 18 September 2012 - 02:33 PM

This was the content of hosts file after CF changed it:

127.0.0.1 localhost


Later I changed it to (copied from another Windows 7 PC):

# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

#block some ads...
255.255.255.0 ads.alter.si
255.255.255.0 oglasi.alter.si
255.255.255.0 adserver.alter.si
255.255.255.0 relay-si.ads.httpool.com
255.255.255.0 ad.httpool.com
255.255.255.0 tas-si.toboads.com
255.255.255.0 ad-emea.doubleclick.net
255.255.255.0 oglasi.slo-tech.com
255.255.255.0 ads.poraba.com
255.255.255.0 googleads.g.doubleclick.net

# in case their DNS dies:
#91.236.1.162 www.alter.si



About the files: CursorHider.exe is back where it was. c:\programdata\ntuser.dat also.

Some settings are still not working as they did before (like autostart of CursorHider.exe, IE settings, default browser,...). I set them already manually.
System restore is still turned off (why does CF make a restore point on start, then delete it all? What is the purpose?)


Here is the FSS.txt log:

Farbar Service Scanner Version: 06-08-2012
Ran by stein (administrator) on 18-09-2012 at 21:30:09
Running from "K:\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-12 11:48] - [2012-08-22 20:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



PS: Email notifications of new posts still don't work.

#21 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 18 September 2012 - 05:41 PM

Hi again,

Some settings are still not working as they did before (like autostart of CursorHider.exe, IE settings, default browser,...). I set them already manually.

So everything is okay there now that you've fixed it?

==========

System restore is still turned off (why does CF make a restore point on start, then delete it all? What is the purpose?)

Sorry, I must have not added in a line about this earlier. This is what I said earlier:

System Restore is also reset by Combofix upon uninstall. This is so a new restore point can be set after malware removal and the system is free of malware! :wink:

I meant to mention that there could be a number of reasons why System Restore could be turned off...it could have been because of a previous infection you had on the machine?

Combofix will flush system restore when it gets uninstalled, but not before. It did what it was supposed to when performing a deletion as noted in the header of your CF log:

ComboFix 12-09-14.03 - stein 14.09.2012 23:02:34.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.386.1033.18.4078.2102 [GMT 2:00]
Running from: k:\downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


Not sure why it's still turned off, because the FSS log you just posted doesn't show any problems with system restore:

System Restore:
============

System Restore Disabled Policy:
========================


Try and turn on system restore, and let me know what happens.

==========

Now, let's get a Security Check of your machine:

Please download and run Security Check from HERE,and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.

==========

Also in your reply, please let me know if you have installed an Antivirus program! If not, it should show in the Security Check log.

bloopie

#22 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 18 September 2012 - 05:54 PM

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Secunia PSI
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Mozilla Firefox (15.0)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


I can not enable System Restore, I see my C: partition is twice in the list in the System Properties / System Protection dialog.
I can create new Restore points and they are offered when I try a restore.
I don't know if this was so before running CF or not.


"So everything is okay there now that you've fixed it?"
I did not (and can not) check all the system settings, how could I? There are millions of them.

I will install an AV when my PC is in working order again.

#23 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 18 September 2012 - 05:57 PM

Just for the record: When I try to enable SR for my C: drive I get these error dialogs:

---------------------------

---------------------------
Could not apply the settings for the following reason:

The filename, directory name, or volume label syntax is incorrect. (0x8007007B)
---------------------------
OK
---------------------------



---------------------------

---------------------------
There was an unexpected error in the property page:



The filename, directory name, or volume label syntax is incorrect. (0x8007007B)



Please close the property page and try again.
---------------------------
OK
---------------------------

#24 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 18 September 2012 - 06:44 PM

Hi again,

I did not (and can not) check all the system settings, how could I? There are millions of them.

I was only inquiring about the ones that have been disabled that you already knew about. Yes there are plenty of them, and it's hard to check all of them. Are you experiencing any other problems as of now that we need to deal with?

There are ways of repairing the OS, but I need to know what's broken as of now.

==========

We need to run the SFC /SCANNOW Command

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to it's default state.

Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.


For Windows Vista / 7:

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.


Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)

    sfc /scannow
  • Press Enter to run the command.
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command 3 or more times to completely fix everything that it's able to.
If you are asked to insert your Windows CD/DVD, do so with the one you have. If that doesn't work, then Continue with the scan.

Let me know how that goes! I would also like you to install an AV program now as mentioned earlier...my recommendation is Microsoft Secuity Essentials.

bloopie

Edited by bloopie, 18 September 2012 - 06:44 PM.


#25 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 20 September 2012 - 01:44 PM

C:\Windows\system32> SFC /SCANNOW

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>



I also installed MSE.

#26 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 20 September 2012 - 04:29 PM

Hi again,

I doubt that helped, but can you enable System Restore now?

If not follow these instructions:

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Posted Image



Once that is done then skip Step 3.

Go to Step 4 and under "System Restore" click on Create button:

Posted Image


Go to Start Repairs tab and click Start button.

Posted Image


Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Posted Image

Click on box next to the Restart System when Finished. Then click on Start.

==========

Let me know how things are after that. :thumbup2:

bloopie

#27 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 21 September 2012 - 12:24 PM

It kindof works, see picture.

I can create new System Restore points. Just the ones before running CF are nowhere to be seen.

Attached Files

  • Attached File  sr.png   57.34KB   2 downloads


#28 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 21 September 2012 - 01:51 PM

Hi again,

Glad that works now! :thumbup2:

I can create new System Restore points. Just the ones before running CF are nowhere to be seen.

Unfortunately, that's what you get when you turn off system restore. All of your old restore points are deleted when system restore gets turned off.

But in reality, that's not such a bad thing for us as old restore points usually get infected as well when malware is on the system. We will be flushing out the system restore anyway shortly. :thumbup2:

Now that it's working correctly, let me know if there are any other problems you'd like me to know about, and we'll move on to the next two steps! :)

==========

Step :step1:
I see you have Malwarebytes Anti-Malware installed, so I'd like you to update it, run a full scan and post the log in your next reply.

==========

Step :step2:
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==========

Please post both logs in your next reply!

bloopie

#29 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 21 September 2012 - 06:09 PM

Hi again,

Glad that works now! :thumbup2:


I can create new System Restore points. Just the ones before running CF are nowhere to be seen.

Unfortunately, that's what you get when you turn off system restore. All of your old restore points are deleted when system restore gets turned off.

But in reality, that's not such a bad thing for us as old restore points usually get infected as well when malware is on the system. We will be flushing out the system restore anyway shortly. :thumbup2:

Now that it's working correctly, let me know if there are any other problems you'd like me to know about, and we'll move on to the next two steps! :)

But I did not turn off System Restore.

Also, I have no malware.
I run MBAM, ESET Online and others regularly. But I will run them again...

#30 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:29 PM

Posted 21 September 2012 - 06:16 PM

Hi again,

But I did not turn off System Restore.

As I mentioned before, there could be a number of reasons why SR was turned off. Could be the infection you may have had or something we're unaware of.

Also, I have no malware.

Maybe so, but I need to check before I can close this topic. Thank you for that! :)

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users