Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

grpconv error installing AV and ComboFix won't run


  • This topic is locked This topic is locked
5 replies to this topic

#1 ToddAndMargo

ToddAndMargo

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 10 June 2013 - 06:08 PM

Hi everyone!

Help!

I have a customer with XP Pro SP3.  When I went to upgrade Kaspersky Endpoint Security (kes10win_10.1.0.867en.exe), I got three prompts telling me c:\windows\system32\grpconv.exe was locked.  So I uploaded grpconv to virustotal and got told nothing was wrong with it.  I was able to click past the prompts.   The symptoms reproduce with the prior version of KESS (kes8.1.0.831_wksfswin_en.exe)

Unlocker said grpconf was locked to explorer.exe

Suspicious, I ran GMER root kit revealer from http://www.gmer.net.  Found nothing.  Not satisfied, I ran combo fix.  Got to the "it takes 10 minutes..." message and then nothing.  So I left it run overnight.  ComboFix never started counting.  And, in the morning, the machine was frozen.

Her machine is running slow and weird too.  I am so suspicious.

I found this on the web: http://www.securitystronghold.com/gates/grpconv.html

But I smell a rat.

Kaspersky tech support drew a blank.

I downloaded and ran DDS.com to get a report.  I get the scanning screen with the "please wait" and the blocks going across.  The blocks get to about 80% and then nothing for 20 minutes (would have left it longer, but the customer had to power off due to thunder storms).  It is suppose to take three minutes.  CPU was ~6% and dds.com was 0%.

What to do next?

Is there a way to run Combo Fix from a PE disk?  (Virus would be off.)

I would run Kaspersky's Rescue Disk, but as I sell Kaspersky, I have learned that if the Windows product doesn't catch it, neither will the rescue disk, as they both use the same scanner and defination files.

Many thanks,

-T

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 AM

Posted 12 June 2013 - 10:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===


    Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
  • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
  • [/list]
    ===

    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Please post the logs DO NOT attach them.


#3 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 14 June 2013 - 06:17 PM

Hi,

 

I am not ignoring you.  I have to talk the customer into letting me spend some more time on this.  Maybe next week.  Thank you for the response.

 

-T



#4 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 June 2013 - 01:50 PM

The customer decided he did not want to spend any more time and money on the problem.  He does his banking on this computer and since, as far as we can tell, he has had this infection for over three years and has had no compromises of his banking, he thinks it is not a threat.

Thank you for the help.  I copied down everything you told me to do for future reference.

-T



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 AM

Posted 18 June 2013 - 06:26 AM

It's his lost.

Thank you for the feedback.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 AM

Posted 18 June 2013 - 06:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users