ComboFix has detected the following error

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by WHAnderson, Oct 10, 2011.

  1. WHAnderson

    WHAnderson Private E-2

    While cleaning an XP Pro 2002 SP3 computer when I get to the step for running ComboFix I receive the following dialog box:

    I have searched both BleepingComputer and Major Geeks for similar questions, with no luck in finding an answer. As far as I can tell the VirusRanger 3.2 has been completely cleaned from the computer, including Registry Entries. And, WebRoot is not active, I need to re-install it..

    Where is ComboFix finding the entries to report them as active?

    Thanks
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. Just continue on then despite the warning. Combo is just finding remnants from those programs.
     
  3. WHAnderson

    WHAnderson Private E-2

    I have done that in the past, when I knew it to have been a real anti-virus which was uninstalled. However, I am not that trusting when dealing with things like VirusRanger.

    I accomplished a 100% file search for files containing the VirusRanger text. The only files with that text in them were the ComboFix files. So, I'm still curious where these "remnants" are located that ComboFix is accessing? :major
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    They could be in the registry, system restore or other places. Kes will not know nor be able to remove them until you attach the log.
     
  5. WHAnderson

    WHAnderson Private E-2

    Finished Malware steps RootRepeal gives error

    The computer is a Dell Dimension 4550 with XP Pro SP3 installed and the owner used the built-in Microsoft Windows compression utility to make the hard drive larger. My first steps were to restore the Registry keys which had been deleted by an online support group. Then I had to restore the networking so I could at least use a Static IP. DHCP is still inoperative.

    I have just finished going through the Malware Removal Instructions. The last step calls for RootRepeal to be run.

    When starting RootRepeal I get a warning message:

    Not sure what to do next. :confused

    I am attaching the MGLogs.zip.

    Thanks
     

    Attached Files:

  6. WHAnderson

    WHAnderson Private E-2

    OK. I am attaching the combofix log.

    Thanks
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Finished Malware steps RootRepeal gives error

    Rootrepeal is not the last step. MGtools is.

    Where are the requested logs for SUPERAntiSpyware, Malwarebytes and ComboFix?

    Also what malware problems are you having?

    Also your MGtools log is from Safe Boot Mode. We want logs from normal boot mode unless you cannot run in normal boot mode but you did not say you had this problem.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Great. Now can you attach the rest of the requested logs from running the tools in the READ and RUN ME FIRST procedures. :) Thanks.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Finished Malware steps RootRepeal gives error

    Wait!!!! Is this the same computer as in your other thread? Why did you start two threads???
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Finished Malware steps RootRepeal gives error

    Sorry for intruding, but is THIS the same machine? :confused

    Yes Chas...same machine!
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Finished Malware steps RootRepeal gives error

    Merged back into one thread.

    But the comment about safe mode still applies? Also if you want to fix a particular user account, then scans have to be run while logged into that account and not the Administrator account. Also WebRoot Software still shows in Add/Remove Programs.
     
  12. WHAnderson

    WHAnderson Private E-2

    Re: Finished Malware steps RootRepeal gives error

    I mis-spoke about RootRepeal being the last step. It was the last step indicating a problem. MGTools do not tell me anything when it is running.

    And, my question of where ComboFix saw the invalid entries was one of curiosity and did not consider it to be part of the problems I am working on. I was just curious.

    The logs are now uploaded.

    Most of the MalWare problems have been corrected. Once the "Invalid PE image" error is corrected I hope to get the DHCP working.

    When I started I had to manually restore missing Registry Entries to be able to do anything. I was finally able to run 'sfc /scannow' to replace all of the missing dlls. I ran XPFix and WinSockFix to allow me to have network and internet access. Once those were done I ran CCleaner to clean out invalid and empty keys/entries. Then I turned off 'System Recovery' and deleted all of the temp files. Ran Defrag on the hard drive and, using its report, deleted the files that could not be defragged. At that point I started to go through the Malware Removal Procedures I found here.

    Now I am down to RootRepeal telling me that it finds an 'invalid PE image'.

    Thank you for your patience and for correcting my error of two threads.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Finished Malware steps RootRepeal gives error

    In security center and in your drivers as shown in the log. I will give you a way to remove this below along with other needed fixes. But you also need to go to Add/Remove programs and uninstall Webroot. It still showed in your uninstall programs list.


    Not a malware problem. It is a problem with your OS.

    You likely lost the ability to easily fix this due to what you did below.

    Neither of these were things that you should do as stated in our cleaning instructions. Registry cleaning is not helpful and typically causes more harm then good as it removes things that are not problems and could even be there for a reason. Even a brand new clean install of only Windows can shows several hundred "supposed errors" in these registry cleaning tools and they are not problems. When you disabled system restore before all your malware cleaning was certified to be finished, you lost the ability to use a restore point to possibly fix your broken TCP/IP stack the Zero Access infection you had ( and still have signs of ) broke. The only possible solution now ( which also may not work ) is to delete your network inteface hardware from Device Manager and then totally reinstall all the software. You need to reinstall and not just use drivers that may be found on the hard disk.

    Who installed the below remote control software and is it still in use?

    Now do all of the below in Normal Boot Mode and on the user account that is having malware problems.

    Uninstall the below as requested in the READ & RUN ME:
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    Viewpoint Toolbar



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  14. WHAnderson

    WHAnderson Private E-2

    Thanks for the Guidance and help.
    That is what I feared. This error can indicate an MBR infection. Since the guy compressed the hard drive I am unable to use the Repair Console.


    When I first received the machine there was no networking capability at all. The Registry Keys for NetBT and TCP/IP had been deleted. Once I restored them from a Registry back-up I had Networking. But, I had to manually input static IPs. Once that was accomplished I now have network and internet access.

    The registry was really trashed. Once CCleaner was finished, I was careful in what I allowed it to delete, the system was able to boot up with very little difficulty and quickly.

    My mistake. The hard drive only had 9% of free space and this had become one of the items I cleared when working on infected systems.

    This is part of the CNC Control Software. This computer is used for manufacturing fire fighting and rescue tools with a CNC machine. Otherwise I would not have even tried to get it back up and running. The CNC software requirements are antiquated and will not work on newer systems.

    The 'Viewpoint Software' has been uninstalled.

    I've finished with your instructions and have attached the two files.

    Thanks
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    It does not look like you have one of those MebRoot MBR infections. You don't have the files or other signs. But we can run the below anyway.

    Please also download MBRCheck to your desktop.


    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
    Okay but this will not be a good long term solution.

    We almost never clear System Restore until we are sure all malware is gone. Our motto is, "Even an infected restore point can be better than none at all when a removal procedure goes haywire".​

    Looks like we got rid of the rest of the ZA infection but let's run the below steps.

    Uninstall My.Freeze.com NetAssistant

    Delete the below leftover folder:
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint




    Now please save Win32kDiag file to your desktop.
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    "%userprofile%\desktop\win32kdiag.exe" -f -r
     
  16. WHAnderson

    WHAnderson Private E-2

    Here are the two logs. I have uninstalled My.Feeze.Com and removed the left over Viewpoint folder.

    I am still searching for the way to restore the DHCP. There was another problem, no CD-Rom access. That is now corrected by repairing the Registry Entries.

    I will remember about the System Restore points.

    Thanks
     

    Attached Files:

  17. WHAnderson

    WHAnderson Private E-2

    Just a note on the DHCP problem. It is now repaired. There were two CurrentControl registry entries missing, the netbt.sys file was missing and the netbios.sys file was corrupted.

    DHCP is working great, now. :)
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent news. The ZeroAccess infection can infect various system files causing a variety of issues, but it is quite common that the TCP/IP stack gets totally corrupted and manual repair becomes necessary as none of the normal quick repair methods work. Even a reinstall of the hardware drivers has not normally worked. This is where a system restore of the registry could prove to be useful. ;)


    Win32kDiag did find some left over issues due to a previous TDL infection ( an older MAX++ form ). It would be a good idea to run it one more time and attach another log to see if it was able to repair those items. There may be some residual permissions issues on some files, folders, and registry keys.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One more thing. It would be a good idea to run TDSSkiller per the below.


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    Be sure to attach your log from TDSSKiller
     
  20. WHAnderson

    WHAnderson Private E-2

    Good to hear Zero Access is cleared.

    Here are the TDSKiller and Win32kdiag logs.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  22. WHAnderson

    WHAnderson Private E-2

    :-D Thank You!!!

    As always, you have provided the necessary guidance and patience to help clean up an infected system.

    Major Geeks are awesome! :-D
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds