Author Topic: Problems return after reboot  (Read 26156 times)

0 Members and 8 Guests are viewing this topic.

Reply #15May 03, 2016, 05:27:38 AM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #15 on: May 03, 2016, 05:27:38 AM »
Will try tomorrow after court in order to zip smaller files, as the whole thing just won't upload. I need to shower, and get up in 5 hours. Thanks for everything! Peace,

Attachment file from running RK program, coming out clean... perhaps someday you'll be able to address the hooks?

JP

Reply #16May 03, 2016, 05:37:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Problems return after reboot
« Reply #16 on: May 03, 2016, 05:37:07 PM »
Hi jpraymond,

Quote from: jpraymond
Will try tomorrow after court in order to zip smaller files, as the whole thing just won't upload. I need to shower, and get up in 5 hours. Thanks for everything! Peace,
Please take your time, this is not urgent. :)

Quote from: jpraymond
Attachment file from running RK program, coming out clean... perhaps someday you'll be able to address the hooks?
I think those hooks are implemented by Norton Security System, so it's safe to assume they are legit.

Regards.

Reply #17May 03, 2016, 08:00:41 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #17 on: May 03, 2016, 08:00:41 PM »
I hope the first zip file went through ok? Here are the "Logs" content. Never mind my question in previous reply, as I did not know I could reply to the same post more than once... (if the first one did not work, then this will be the first and I'll have to split the previous .zip file)

Much like life, this is a continuous growing experience, or a permanent learning curve...  ???

Reply #18May 03, 2016, 08:13:48 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #18 on: May 03, 2016, 08:13:48 PM »
Does not look like the Hives.zip or Logs.zip worked, will try smaller sub-dirs...

Reply #19May 03, 2016, 08:20:42 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #19 on: May 03, 2016, 08:20:42 PM »
Sorry. you now have 2 "Logs"... how about a "Quarantine.zip" file, then I'll break down the hives.

FYI, Shockwave crashed, and has been doing that for over a week. With virus / trojan gone,Shockwave sucks!
« Last Edit: May 03, 2016, 08:43:58 PM by jpraymond »

Reply #20May 03, 2016, 08:50:41 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #20 on: May 03, 2016, 08:50:41 PM »
If I don't succeed the first time, try, try again  :-\

1.713 KB... what is the limit should this fail?

Reply #21May 03, 2016, 08:58:52 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #21 on: May 03, 2016, 08:58:52 PM »
That appears to have worked... next is "Hives_NoUsers"

7.27 KB

Ok. that seems to have worked... please email me it you encounter any problems with the files.

Thanks again Curson!

JP
« Last Edit: May 03, 2016, 09:02:08 PM by jpraymond »

Reply #22May 04, 2016, 12:48:00 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Problems return after reboot
« Reply #22 on: May 04, 2016, 12:48:00 AM »
Hi jpraymond,

This is perfect.
Many thanks. :)

Regards.

Reply #23May 04, 2016, 01:45:40 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Problems return after reboot
« Reply #23 on: May 04, 2016, 01:45:40 PM »
Hi jpraymond,

Thanks to your contribution, the analysis is doing great.
However, I would need an additional file to complete it.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
reg save HKCR "%USERPROFILE%\Desktop\HKCR.hiv"
Do not close the command prompt until it says "Operation Completed

5) A new file named HKCR.hiv should has been created on your desktop. Please zip it and attach it with your next reply.

Many thanks for your contribution. :)

Regards.

Reply #24May 19, 2016, 08:10:35 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Back again... {Sigh}
« Reply #24 on: May 19, 2016, 08:10:35 PM »
 Hi Curson, sorry to return with the "Same old story..." but it's back. After running Anti-Malware, after reboot, this appeared...

 "Cannot export C:\DOCUM~T\Temp/HKCURUNONBU.reg
:Error writing the file. There may be a disk of file system order."

 In a basic dialogue box that had "Ok", again appeared over the 1st box, then normal screen appeared under the 2, just before I clicked on X. Attached are screen shots.

 After many tries, I have yet to find something in both apps to cause it to check E: which is a problem.

 Could you explain what are the steps to take to cause both C: and E: to be scanned at the same time? I am stuck here and can go no further. Can't find anything under both SW programs to even check the E: drive alone. Need extra help here please?

In the AfterRK Run, you'll notice I did not check the box

             Detection                          Type
"Suspicious Path|Vt.unknown | Registry:Run ... as I was concerned the "Type" - Registry Run might make it worse.
If you think there is no damage, I'll run it again (will most likely will HAVE to anyway) after reboot. Attached is rk_1.tmp, and 2 saved screen shots.

Thanks for the advice on PDF-XChange Viewer ... it works GREAT!

Please advise when convenient for you...

Thanks yet again Curson!

(No directory was created as with previous work) Ok, now what? rk_1.tmp. will try to rename file with .txt extension

You cannot upload that type of file. The only allowed extensions are doc, gif, jpg, jpeg, pdf, png,t xt, zip, rar, 7z,log, json(?)

Addition: Anti-Malware continues to find
RootKit.Fileless.MYGen return after reboot, and running Rogue Killer this time nothing showed up, nor create new .tmp file. 

Also, forgot to mention, prior to this new problem, I have address book names, some new, and some old that had been deleted. These are still there, and have tried copying file, then import into "OpenOffice Calc" hoping to be able to edit/delete. The names that show when I forward, reply and any function in E-Mail I never added must be in a different file, that only shows up as mentioned.

I'm guessing when I attached E: (500 GB), and something there  probably caused the virus to return. Will try to redirect scan to both C: and E:, and will let you know what, if anything shows up.

I'll edit after trying this, normal, then safe mode (Unsure if the drivers load needed to run either, or both Anti-MalWare and RogueKiller, and hope for the best. Be back to let you know what happens.
« Last Edit: May 20, 2016, 05:11:49 AM by jpraymond »

Reply #25May 20, 2016, 02:22:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Problems return after reboot
« Reply #25 on: May 20, 2016, 02:22:13 PM »
Hi jpraymond,

The infection seems to have returned.
I believe it uses a vulnerability in Windows XP to propagate.

Quote from: jpraymond
Could you explain what are the steps to take to cause both C: and E: to be scanned at the same time? I am stuck here and can go no further. Can't find anything under both SW programs to even check the E: drive alone. Need extra help here please?
RogueKiller is currently only able to scan the systemdrive.
With Malwarebytes Anti-Malware it's possible, using the "Custom Scan" feature. Please do a scan of all your drives and attach the report obtained with your next reply.

Quote from: jpraymond
In the AfterRK Run, you'll notice I did not check the box

             Detection                          Type
"Suspicious Path|Vt.unknown | Registry:Run ... as I was concerned the "Type" - Registry Run might make it worse.
If you think there is no damage, I'll run it again (will most likely will HAVE to anyway) after reboot. Attached is rk_1.tmp, and 2 saved screen shots.
Please remove the following entry :
Quote
[Suspicious.Path|VT.Unknown] HKEY_USERS\S-1-5-21-839522115-1580818891-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Run | dzrth : "C:\Documents and Settings\Jeff\Local Settings\Application Data\ccb018\15848b.lnk"

Quote from: jpraymond
Thanks for the advice on PDF-XChange Viewer ... it works GREAT!
You are welcome.

Quote from: jpraymond
(No directory was created as with previous work) Ok, now what? rk_1.tmp. will try to rename file with .txt extension
I was able to read it this way. :)

Quote from: quote
Also, forgot to mention, prior to this new problem, I have address book names, some new, and some old that had been deleted. These are still there, and have tried copying file, then import into "OpenOffice Calc" hoping to be able to edit/delete. The names that show when I forward, reply and any function in E-Mail I never added must be in a different file, that only shows up as mentioned.
There is very little chance this issue is malware-related.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
reg save HKCR "%USERPROFILE%\Desktop\HKCR.hiv"
Do not close the command prompt until it says "Operation Completed

2) A new file named HKCR.hiv should has been created on your desktop. Please zip it and attach it with your next reply.

Regards.

Reply #26May 20, 2016, 09:48:09 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #26 on: May 20, 2016, 09:48:09 PM »
After a couple of reboots, and finding the problems came back each time, noticed it slows Mozilla Firefox down to a crawl after a short period of time, delaying my attempts to get back to the forum.

I've done everything possible to manually remove errors that return each reboot. I have 5 files to attach.

As the 47 items were on the screen, there was  an attempt to take a file from my system, to upload it to a virus database of some sort, but Malwarebytes blocked it every time. I will try to write down the IP address and try to add that to malwarebytes approved IP addresses.

Also tried to upgrade to a current version, but have problems trying to do such.

Reply #27May 21, 2016, 05:11:29 AM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #27 on: May 21, 2016, 05:11:29 AM »
This time, ran in safe mode. Ran RogueKiller first, (without driver)  found 15848b, and zipped it to be attached, and a couple others. however, when the system reboots (from Off, as to clear memory) to start, it all returns.

As far as upgrading, I purchased the license for 1 year, and don't want to buy, or extend yet, so what's the problem in trying to upgrade to newer version?

Thanks... will blow up system with Semtex if not fixed by Sunday   :o

Reply #28May 22, 2016, 03:28:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Problems return after reboot
« Reply #28 on: May 22, 2016, 03:28:08 PM »
Hi jpraymond,

Unless you attach the files as asked you to (Malwarebytes Anti-Malware's report and HKCR.hiv), I won't be able to help you.
Please attach them with your next reply.

Regards.

Reply #29May 22, 2016, 07:05:58 PM

jpraymond

  • Newbie

  • Offline
  • *

  • 23
  • Reputation:
    0
    • View Profile
Re: Problems return after reboot
« Reply #29 on: May 22, 2016, 07:05:58 PM »
i'm sorry, my attempt to reply did not work. I will try to zip the HKCR.hiv, then attach the zip file. Again, had to change .tmp to .txt.

Since the most recent time I ran Malwarebytes, was this AM after a forced  reboot (machine had not been shut down for 1 1/2 - 2 days), so please tell me where the report generated is found, and I'll attach it.

Also included is today's RK run, with a 2nd internet explorer affected, as before there was only 1. I could find no files generated after cleaning. Also still working to upgrade present version.

JPR