Is there hope?

This is my personal 10+ yr old Panasonic Toughbook CF71 that’s used for work. Mostly programming PLCs, Touchscreens, etc. I stupidly loaned it to a coworker (again!) to bail him out with a high value client. He’d used it several times before and I THOUGHT I could trust him. Fool me twice, shame on me.

For the record it’s a 600Mhz, P3 with 384MB ram (maxed) and 120GB hd (also maxed). Fully updated (as of a couple weeks ago anyway) XP Pro SP3, NOD32-4, MBAM real time, WinPatrol, SpywareBlaster, Zone Alarm 8. I’d resisted upgrading ZA after hearing that later versions had trouble with the industrial Ethernet LANs I work with. Was that a mistake? NOD32 is scheduled to scan nightly. MBAM also quick scans nightly. SuperAntispyware, Hitman Pro and Spybot SD scans weekly. I’d disabled Spybot Teatimer after installing WinPatrol a couple years ago.

Coworker returned the machine saying he had some trouble but “it’s all fixed now”. Upon boot up, “Operating System not found”. My blood pressure is still boiling. I needed this machine to do my job for MY waiting client! Back to the motel.

Did a “fixmbr” from an XP SP2 disk (never had an SP3 disk, was sp2 OK?). Got it to boot to “Welcome” screen and then BSOD to STOP c0000218. Boot to safe mode hung at MUP.SYS. Boot into “last known good configuration” failed. Back to recovery console and found “system volume information folder” to be missing snapshot folder. Dozens of restore folders there but not a single snapshot. Is there malware that deletes those?

Slaved up the old backup hard drive this drive had been “cloned” from (with Casper) a few months ago and batch file copied its 5 registry hives onto this drive. Was the slave drive at risk of infection? Successfully booted to windows and it then immediately demanded to be re-Activated. Couldn’t connect to internet with the Buffalo wifi card so swapped out to Ethernet card and connection and Activation successful. Motel, thankfully, still had good old Ethernet. This machine’s Wifi still doesn’t work. No clue why but haven’t really investigated.

Promptly backed up all critical data files onto an external SATA drive. Is that external drive now infected? If so, can it be cleaned?

Re-booted into chkdsk f and r and it found and repaired countless errors. I was on the phone and couldn’t take proper note of exactly what, but it had to be hundreds of errors. Booted back to Windows and promptly updated NOD32 and scanned. It found at least one virus and numerous other risks that I permitted it to fix. Should I provide you with that log?

Also scanned with MBAM, SAS, SpyBot, Hitman Pro, Online ESET, and they all found their share of risks and/or outright viruses. I let each of them perform repair as they wished. Too preoccupied with phone calls to make proper note of what, exactly, they found. Should be in scan logs, though.

Also ran CCleaner and its “Registry Cleaner”. I knew better but anger at my coworker and pressure from a justifiably impatient client was clouding judgment. Also ran PCPitstop Optimize 3. Same excuse. Finally got the thing working well enough to do my job for my client and things seemed OK for a while.

BUT, in the week or so since all of that, NOD32 has hung up at the splash screen and then failed to start at least a dozen times. Splash screen stays up at least 10x longer than ever before during boot up. NOD32 has been automatically sending at least 5 seemingly random files to ESET each day. It did that once or twice per year, historically. At least twice NOD32 complained it “failed to communicate with kernel”. ESET suggested downloading and running ESET Sirefef Remover and it found nothing. Kaspersky TDSSKiller also found nothing.

Tried to run a rescue boot disk scan from BitDefender and another from Kaspersky but they both locked up after a couple hours. Let each run for two days before stopping. Both of these require 512MB ram. My old machine can only muster 384MB ram.

Internet Explorer pauses and hangs for 5-10 minutes per page. Interestingly, I’m unable to reach MajorGeeks’ Combofix download page without IE pausing several minutes and then shutting itself down. CPU and memory usage for it gets very large, compared with just a few weeks ago. Pale Moon browser at least reached and downloaded Combofix but keeps shifting itself to “work offline” despite having a solid connection via Ethernet. It works fine for several hours after un-checking “Work Offline” and then that somehow, mysteriously, gets selected again. WIFI still does not work.

MalwareBytes has also occasionally shutdown without any warnings. It restarts right back up from Start menu, though it’s real time “Enable Protection” check box has to be re-clicked every time. Should I shut it down and enable SAS real time instead?

Zone Alarm randomly failed to start 4 or 5 times and I disabled it (should I have un-installed it?) and then installed Private Firewall. Private Firewall is still in training, I believe.

I’ve not permitted Windows Update to run since that episode for fear of compounding complications. Update is wanting to run, should I let it run?

Since these were already installed, I didn’t download SAS and MBAM for the scans that created the attached logs. I simply configured existing SAS and MBAM to match the checkboxes in your preparation tutorial. Should I have uninstalled my existing SAS and MBAM and downloaded and installed fresh copies of these?

I didn’t have Recovery Console installed on this machine before running ComboFix. ComboFix wanted to connect to the internet to get it but I just couldn’t bring myself to plug Ethernet back in while Fire Wall, NOD32 and MBAM were all disabled for the ComboFix scan. I denied ComboFix permission to access internet and it went ahead and completed its scan anyway. I’ve since installed Recovery Console. Should I re-run ComboFix?

Sorry for being so long winded. Just don’t want to leave anything out. Probably have anyway. If you think I should, I could re-post a condensed version of this and download and run fresh copies of MBAM and SAS and log? Let me know your thoughts.

Assuming it wasn’t infected by slaving it earlier, I could, as a last resort, revert back to the old original drive this drive was cloned from but there are some mission critical software packages I’d have to re-install. Some of these industrial softwares are real pains to re-license and re-activate. I’d really like to fix this poor thing, if possible. Is there hope?

My background is industrial. I’ve been chewing on bits and bytes since 80 line Hollerith cards were “modern” but I know just enough to be dangerous to myself in this internet connected world. Please keep that in mind.

At least I’ve somehow refrained from acts of violence against my once trusted coworker. So far, anyway.

Thanks for your efforts. Thanks for your patience.

Steve

Edit: OK, this is getting strange, SAS was the first scan I ran and I know I SAW the log file for that scan under …\ApplicationData\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs. Just went to get it to post here and ALL SAS log files are gone! Everything! Did ComboFix erase them or something else? I’ll re-run SAS and post that log if you say to.

 

Thank you. Here it is.

 

Thank You Kestrel, still working on removing those items. The uninstall for PCPitstop complains: “Unable to create a temporary file. Setup aborted. Error 5: Access Denied”. I’ll keep working on that and get it done.

Meanwhile, maybe I’m getting paranoid in my golden years but it sort of “feels” like this machine’s security is under assault. Each individual issue seems like a minor software glitch but taken as a whole seems to indicate a trend that gives some cause for pause. Are there enough trees to call it a forest?

The intent below is for you to read the major bullets and then go back to the minor bullets if more detail might help. Trying to optimize your time while assuring adequate detail.

• NOD32 pauses a LONG time during boot and about every 4th time simply doesn’t start.

• Except for twice, no messages or warning. If I don’t specifically check I’d never know it wasn’t there.

​

• It just now failed to start about 45min ago. Re-boot always brings it back.

​

• NOD32 (or the OS) has twice issued “Error communicating with kernel” before failing to start.

• (maybe it’d rather talk to a Major than a kernel. lol)

​

• This morning, NOD32 had collected about 50 files it wanted to send in for analysis.

• I OK’d that. Hope that’s ok. ?

​

• No clue what ESET does with that and they haven’t explained why they sent them.

​

• Zone Alarm randomly failed to start without any warning.

• I’ve since replaced it with Private Firewall and haven’t re-tried it after administering Chas’ excellent “Malware Removal Guide Regimen”. Maybe it’s a non-issue, now.

​

• Malware Bytes keeps shutting off “Enable Protection”.

• Again, no warning. Just have to keep checking it. It only shut off once today, so far.

​

• Superantispyware appeared to be working fine but the entire log folder got emptied yesterday.

• No trace in recycle bin.

​

• (maybe some snafu on my part?)

​

• All day, today, when I click on “Check for Updates”, Superantispyware completes “Authenticating Connection” but fails at “Checking for Definition Updates”.

• Maybe problem on their end?

​

• IE is slow, slow and using at least twice the ram and cpu that it EVER did before.

• IE locks up or shuts down regularly but the fastest way to exit IE is to attempt to load MajorGeeks’ Malware Removal forum page.

• No Kidding!

​

• IE disappears faster than I ever thought possible. I wish IE would shut down that fast normally.

​

• Haven’t tried disabling add-ons yet.

​

• Pale Moon surfs fine but randomly puts a check at the “Work Offline” option.

• It’s done that a couple times today. Again, no warning.

​

• I haven’t tried FireFox.

​

• When plugged in, the Buffalo WiFi card lights up with activity and DHCP assigns IP but browsers and “Wireless Connection” indicates “not connected”.

• My office router logs show a LOT of activity over that WiFi card when it’s plugged in and “not connected”. Would it do any good to trace the WAN IP’s it’s pinging?

​

• Maybe interference from the new software firewall?

​

• RJ45 Ethernet card function seems normal.

​

• Several times an hour, the hard drive goes crazy like something is scanning.

• There’s no indication that NOD, MBAM, or anything I can identify is causing it.

​

• Unable to open Directsoft PLC programming software.

• Maybe an irrelevant problem but mentioned for completeness.

​

Word, Excel, Quick Cad, Quicken, and other non-security related programs seem to function unchanged. I haven’t yet opened Outlook Express since the crash for fear of “thermonuclear exploding messages”, lol. Just waiting for your valued OK to try it.

Some in my industry are sweating over some version of Stuxnet getting to their PLC’s. Interesting that my coworker claims he was downloading Siemens PLC software when my machine crashed on him. I guess, by design, Stuxnet also targets Siemens PLCs, FWIW. Something we wouldn't have considered possible just a few years ago.

Ah, conspiracies…

Once again, even the simplified version is windy. Ancient, semi retired, Engineers tend to be that way, I guess. Thank you, Kestrel, for your skills, time and patience.

Steve

 

Bonjour docteur Crécerelle

Revo Uninstaller did the trick. I bought it. Thank you.

NOD32 is paid up for another year, i think. I’ve used NOD, in various versions, since the 90s. It’s pretty light on system resources. Possibly TOO light since it obviously let SOMEthing through. I used AVG free for a couple years but it got a little too demanding for my antique machine. Always all ears for something better, tho. ?

It does have a log file listing the files it sent to ESET for “analysis”. Can send if it’d help? Seemed mostly random program files. A good part of them had to do with PLC programming software packages and related stuff. NOD’s done that for years but it’s usually just a file or two per YEAR.

I use the paid version of MalwareBytes. Also paid SAS. Always pay my way. Just how I am. I normally have MBAM set for “Enable Protection” and just use SAS for weekly scans. Have swapped those roles in years past when MBAM got a little cranky after a version change. MBAM usually seems a little lighter on my old machine, tho. It hasn’t shut itself off at all today. Unless I just jinxed it by bragging on it… Just checked, MBAM’s still there.

I forgot to delete those three .tmp files from the Windows folder before running OTL. Just went back and deleted. Can run OTL again if needed??

I don’t pretend to have a clue about reading OTL logs but some of the events of the last week, or so, sure don’t seem to be in there. Probably don’t know what I’m looking at.

Craziest thing in all of this is that Buffalo wifi PCMCIA card. Its activity lights are very active but the “Wireless Network Connection” indicates “not connected”. We verified, positively, that the thing was solidly connected to the router, DHCP assigned, and was pinging the WWW like crazy. Private Firewall seems totally oblivious to the activity. Curious to see Zone Alarm’s reaction but don’t want to upset your diagnostic sequence.

Interestingly, plugging that same card into a different but identical CF71 Toughbook showed NO issues. Swapping that machine’s hard drive into my machine with that card showed NO issues. SOMEthing on my hard drive is interacting with that Buffalo card in evil ways, I fear. I trust that evil has no chance to scurry from the furry of the Falcon… I’ll hold off on further hardware testing until you’ve ruled out malware issues.

Thank you again, Kestrel. Hoping you grab a chance to get out away from the keyboard today and go listen to our feathered friends’ musical interaction. The internet was around quite a while before humans re-invented it.

Steve

 

Those are the words I was looking for. Time for some tough love on some hardware and software.

Is there an appropriate place to leave a gratuity or anything? Saw your link to Jinx but t-shirts really aren’t my thing. Us industrial controls guys need to get out in the world a little more, I guess.

Keep it Boolean!
steve